diff options
| author | Roman Lebedev <lebedev.ri@gmail.com> | 2015-06-13 16:57:20 +0300 |
|---|---|---|
| committer | Øyvind Kolås <pippin@gimp.org> | 2015-06-24 18:28:34 +0200 |
| commit | a49f2461c3c012633027f4dbf898fbc51d5aac85 (patch) | |
| tree | 526d651450fc1b0874f6fc7a1aa4c8ba5fcc82d1 /babl/babl-model.c | |
| parent | 786034dda83d5dc7e56e60e7bb074127de576642 (diff) | |
babl_model_new(): fix global-buffer-overflow
If we pass a string into this function, and this string is shorter than
sizeof(Babl), macro BABL_IS_BABL() will read past string bounds,
and bad things may happen.
NOTE: if a string will be passed into this function, that is not
handled by those if (!strcmp (arg, "<...>")), global-buffer-overflow
will still happen. i am not sure if/what can be done about it :(
Fixes following error:
=================================================================
==31464==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f1c25907940 at pc 0x7f1c258f7636 bp 0x7ffdc4838670 sp 0x7ffdc4838668
READ of size 4 at 0x7f1c25907940 thread T0
0 0x7f1c258f7635 in babl_model_new /home/lebedevri/src/_GIMP/babl/babl/babl-model.c:114
1 0x7f1c258e4ce5 in babl_core_init /home/lebedevri/src/_GIMP/babl/babl/babl-core.c:128
2 0x7f1c258e1379 in babl_init /home/lebedevri/src/_GIMP/babl/babl/babl.c:145
3 0x7f1c2a0923d1 in gegl_post_parse_hook (/usr/local/lib/libgegl-0.3.so.0+0x523d1)
4 0x7f1c25195238 in g_option_context_parse (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55238)
5 0x7f1c25196193 in g_option_context_parse_strv (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x56193)
6 0x48b8cf in main (/usr/local/bin/gimp-2.9+0x48b8cf)
7 0x7f1c241a9b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
8 0x486b68 (/usr/local/bin/gimp-2.9+0x486b68)
0x7f1c25907943 is located 0 bytes to the right of global variable '*.LC1' from 'babl-core.c' (0x7f1c25907940) of size 3
'*.LC1' is ascii string 'id'
SUMMARY: AddressSanitizer: global-buffer-overflow /home/lebedevri/src/_GIMP/babl/babl/babl-model.c:114 babl_model_new
Shadow bytes around the buggy address:
0x0fe404b18f10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fe404b18f20: 05 f9 f9 f9 f9 f9 f9 f9[03]f9 f9 f9 f9 f9 f9 f9
0x0fe404b18f30: 07 f9 f9 f9 f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==31464==ABORTING
Diffstat (limited to 'babl/babl-model.c')
| -rw-r--r-- | babl/babl-model.c | 24 |
1 files changed, 13 insertions, 11 deletions
diff --git a/babl/babl-model.c b/babl/babl-model.c index dda1cbe..02f3c0b 100644 --- a/babl/babl-model.c +++ b/babl/babl-model.c @@ -111,7 +111,19 @@ babl_model_new (void *first_argument, while (1) { - if (BABL_IS_BABL (arg)) + /* first, we assume arguments to be strings */ + if (!strcmp (arg, "id")) + { + id = va_arg (varg, int); + } + + else if (!strcmp (arg, "name")) + { + assigned_name = va_arg (varg, char *); + } + + /* if we didn't point to a known string, we assume argument to be babl */ + else if (BABL_IS_BABL (arg)) { Babl *bablc = (Babl *) arg; @@ -156,16 +168,6 @@ babl_model_new (void *first_argument, break; } } - /* if we didn't point to a babl, we assume arguments to be strings */ - else if (!strcmp (arg, "id")) - { - id = va_arg (varg, int); - } - - else if (!strcmp (arg, "name")) - { - assigned_name = va_arg (varg, char *); - } else { |