[babl] babl_component_new(): fix global-buffer-overflow
- From: Øyvind Kolås <ok src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [babl] babl_component_new(): fix global-buffer-overflow
- Date: Wed, 24 Jun 2015 16:30:52 +0000 (UTC)
commit 786034dda83d5dc7e56e60e7bb074127de576642
Author: Roman Lebedev <lebedev ri gmail com>
Date: Sat Jun 13 16:54:21 2015 +0300
babl_component_new(): fix global-buffer-overflow
If we pass a string into this function, and this string is shorter than
sizeof(Babl), macro BABL_IS_BABL() will read past string bounds,
and bad things may happen.
NOTE: if a string will be passed into this function, that is not
handled by those if (!strcmp (arg, "<...>")), global-buffer-overflow
will still happen. i am not sure if/what can be done about it :(
Fixes following error:
=================================================================
==28935==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f6e2393f940 at pc 0x7f6e23919b5f
bp 0x7ffc7b9ca770 sp 0x7ffc7b9ca768
READ of size 4 at 0x7f6e2393f940 thread T0
0 0x7f6e23919b5e in babl_component_new /home/lebedevri/src/_GIMP/babl/babl/babl-component.c:82
1 0x7f6e2391cbda in babl_core_init /home/lebedevri/src/_GIMP/babl/babl/babl-core.c:96
2 0x7f6e23919379 in babl_init /home/lebedevri/src/_GIMP/babl/babl/babl.c:145
3 0x7f6e280ca3d1 in gegl_post_parse_hook (/usr/local/lib/libgegl-0.3.so.0+0x523d1)
4 0x7f6e231cd238 in g_option_context_parse (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55238)
5 0x7f6e231ce193 in g_option_context_parse_strv (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x56193)
6 0x48b8cf in main (/usr/local/bin/gimp-2.9+0x48b8cf)
7 0x7f6e221e1b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
8 0x486b68 (/usr/local/bin/gimp-2.9+0x486b68)
0x7f6e2393f943 is located 0 bytes to the right of global variable '*.LC1' from 'babl-core.c'
(0x7f6e2393f940) of size 3
'*.LC1' is ascii string 'id'
SUMMARY: AddressSanitizer: global-buffer-overflow /home/lebedevri/src/_GIMP/babl/babl/babl-component.c:82
babl_component_new
Shadow bytes around the buggy address:
0x0fee4471ff10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fee4471ff20: 05 f9 f9 f9 f9 f9 f9 f9[03]f9 f9 f9 f9 f9 f9 f9
0x0fee4471ff30: 07 f9 f9 f9 f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==28935==ABORTING
babl/babl-component.c | 21 +++++++++++----------
1 files changed, 11 insertions(+), 10 deletions(-)
---
diff --git a/babl/babl-component.c b/babl/babl-component.c
index a483b19..c3b617e 100644
--- a/babl/babl-component.c
+++ b/babl/babl-component.c
@@ -79,16 +79,8 @@ babl_component_new (void *first_arg,
if (!arg)
break;
- if (BABL_IS_BABL (arg))
- {
-#ifdef BABL_LOG
- Babl *babl = (Babl *) arg;
- babl_log ("%s unexpected", babl_class_name (babl->class_type));
-#endif
- }
- /* if we didn't point to a babl, we assume arguments to be strings */
-
- else if (!strcmp (arg, "id"))
+ /* first, we assume arguments to be strings */
+ if (!strcmp (arg, "id"))
{
id = va_arg (varg, int);
}
@@ -108,6 +100,15 @@ babl_component_new (void *first_arg,
alpha = 1;
}
+ /* if we didn't point to a known string, we assume argument to be babl */
+ else if (BABL_IS_BABL (arg))
+ {
+#ifdef BABL_LOG
+ Babl *babl = (Babl *) arg;
+ babl_log ("%s unexpected", babl_class_name (babl->class_type));
+#endif
+ }
+
else
{
babl_fatal ("unhandled argument '%s' for component '%s'", arg, name);
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
