[gnome-calculator] Function manager: Check for 0-sized array of math functions when sorting

[Robert Roth <robertroth src gnome org>]

commit 455d6a2b4745007f549a4e0c101b76b6edb3f25a
Author: Tobias Mueller <muelli cryptobitch de>
Date:   Sun Sep 18 05:58:40 2016 +0200

    Function manager: Check for 0-sized array of math functions when sorting
    
    Otherwise, array.length-1 will be 0-1 == -1.
    And it'll try to access array[-1] which is not very good.
    We prevent that by checking for the array size
    and we're also asserting array index values to reference actual data
    instead of pointing outside the array.
    
    I found this with ASan when opening programming mode and clicking "ans" from
    the "X" drop down box:
    
    =================================================================
    ==14==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200028b308 at pc 0x7f14b5110f70 bp 
0x7ffcc3f8b800 sp 0x7ffcc3f8b7f8
    READ of size 8 at 0x60200028b308 thread T0
        #0 0x7f14b5110f6f  (/app/lib/gnome-calculator/libcalculator.so+0x12af6f)
        #1 0x7f14b5111b1d in function_manager_functions_eligible_for_autocompletion_for_text 
(/app/lib/gnome-calculator/libcalculator.so+0x12bb1d)
        #2 0x44104f in function_completion_provider_get_matches_for_completion_at_cursor 
(/app/bin/gnome-calculator+0x44104f)
        #3 0x4422fa  (/app/bin/gnome-calculator+0x4422fa)
        #4 0x44065a in completion_provider_populate (/app/bin/gnome-calculator+0x44065a)
        #5 0x7f14b4a1c1b1 in gtk_source_completion_provider_populate 
(/app/lib/libgtksourceview-3.0.so.1+0x2021b1)
        #6 0x7f14b4a0600f  (/app/lib/libgtksourceview-3.0.so.1+0x1ec00f)
        #7 0x7f14b4a06346  (/app/lib/libgtksourceview-3.0.so.1+0x1ec346)
        #8 0x7f14b1ffb5c2  (/lib/libglib-2.0.so.0+0x495c2)
        #9 0x7f14b1ffab89 in g_main_context_dispatch (/lib/libglib-2.0.so.0+0x48b89)
        #10 0x7f14b1ffaf07  (/lib/libglib-2.0.so.0+0x48f07)
        #11 0x7f14b1ffafab in g_main_context_iteration (/lib/libglib-2.0.so.0+0x48fab)
        #12 0x7f14b25bb9fc in g_application_run (/lib/libgio-2.0.so.0+0xaa9fc)
        #13 0x412965 in calculator_main (/app/bin/gnome-calculator+0x412965)
        #14 0x4129c9 in main (/app/bin/gnome-calculator+0x4129c9)
        #15 0x7f14b01d168f in __libc_start_main (/lib/libc.so.6+0x2068f)
        #16 0x40c5f8 in _start (/app/bin/gnome-calculator+0x40c5f8)
    
    0x60200028b308 is located 8 bytes to the left of 8-byte region [0x60200028b310,0x60200028b318)
    allocated by thread T0 here:
        #0 0x7f14b5755d60 in __interceptor_calloc (/usr/lib64/libasan.so.3+0xc1d60)
        #1 0x7f14b20000b0 in g_malloc0 (/lib/libglib-2.0.so.0+0x4e0b0)
        #2 0x44104f in function_completion_provider_get_matches_for_completion_at_cursor 
(/app/bin/gnome-calculator+0x44104f)
        #3 0x4422fa  (/app/bin/gnome-calculator+0x4422fa)
        #4 0x44065a in completion_provider_populate (/app/bin/gnome-calculator+0x44065a)
        #5 0x7f14b4a1c1b1 in gtk_source_completion_provider_populate 
(/app/lib/libgtksourceview-3.0.so.1+0x2021b1)
        #6 0x7f14b4a0600f  (/app/lib/libgtksourceview-3.0.so.1+0x1ec00f)
        #7 0x7f14b4a06346  (/app/lib/libgtksourceview-3.0.so.1+0x1ec346)
        #8 0x7f14b1ffb5c2  (/lib/libglib-2.0.so.0+0x495c2)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow (/app/lib/gnome-calculator/libcalculator.so+0x12af6f)
    Shadow bytes around the buggy address:
      0x0c0480049610: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
      0x0c0480049620: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fa
      0x0c0480049630: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd
      0x0c0480049640: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa
      0x0c0480049650: fa fa fd fa fa fa fd fa fa fa fd fa fa fa 04 fa
    =>0x0c0480049660: fa[fa]00 fa fa fa fd fd fa fa fd fa fa fa 04 fa
      0x0c0480049670: fa fa fd fa fa fa fd fd fa fa 00 00 fa fa 00 00
      0x0c0480049680: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
      0x0c0480049690: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
      0x0c04800496a0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
      0x0c04800496b0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Heap right redzone:      fb
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack partial redzone:   f4
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==14==ABORTING
    
    https://bugzilla.gnome.org/show_bug.cgi?id=771609

 lib/function-manager.vala |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)
---
diff --git a/lib/function-manager.vala b/lib/function-manager.vala
index ca4bd09..d07c87a 100644
--- a/lib/function-manager.vala
+++ b/lib/function-manager.vala
@@ -325,6 +325,8 @@ public class FunctionManager : Object
 
     private MathFunction[] array_sort_math_function (MathFunction[] array)
     {
+        if (array.length == 0)
+            return array;
         bool swapped = true;
         int j = (array[array.length - 1] == null ? 1 : 0);
         MathFunction tmp;
@@ -333,8 +335,10 @@ public class FunctionManager : Object
         {
             swapped = false;
             j++;
+            assert (0 <= j <= array.length);
             for (int i = 0; i < array.length - j; i++)
             {
+                assert (0 <= (i+1) < array.length);
                 if (array[i].name > array[i + 1].name)
                 {
                     tmp = array[i];