[gnome-calculator] number: do not access text_out beyond its bounds in bitwise function
- From: Robert Roth <robertroth src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [gnome-calculator] number: do not access text_out beyond its bounds in bitwise function
- Date: Sun, 25 Sep 2016 01:14:36 +0000 (UTC)
commit c5f59e371704183141f92893f85e59f451648844
Author: Tobias Mueller <muelli cryptobitch de>
Date: Sun Sep 18 06:57:06 2016 +0200
number: do not access text_out beyond its bounds in bitwise function
The text_out buffer has just been created as a char array with
offset_out + 1 elements. So we can access element 0 to offset_out.
offset_out+1 is beyond the bounds. We simply increase the size by one.
While this fixes this issue, I think it is not the most elegant
solution.
I found this with ASan when opening programming mode and then pressing, e.g.
7 AND 3 Enter:
=================================================================
==13==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200025bb91 at pc 0x7f6f28554292 bp
0x7f6f15cdfba0 sp 0x7f6f15cdfb98
WRITE of size 1 at 0x60200025bb91 thread T6
#0 0x7f6f28554291 (/app/lib/gnome-calculator/libcalculator.so+0x17a291)
#1 0x7f6f2854e91c in number_and (/app/lib/gnome-calculator/libcalculator.so+0x17491c)
#2 0x7f6f284d6923 (/app/lib/gnome-calculator/libcalculator.so+0xfc923)
#3 0x7f6f284c84f6 in lr_node_solve_lr (/app/lib/gnome-calculator/libcalculator.so+0xee4f6)
#4 0x7f6f284c7bc6 (/app/lib/gnome-calculator/libcalculator.so+0xedbc6)
#5 0x7f6f284c62b4 in parse_node_solve (/app/lib/gnome-calculator/libcalculator.so+0xec2b4)
#6 0x7f6f284dddd0 in parser_parse (/app/lib/gnome-calculator/libcalculator.so+0x103dd0)
#7 0x7f6f284b63d4 in equation_parse (/app/lib/gnome-calculator/libcalculator.so+0xdc3d4)
#8 0x7f6f28519692 (/app/lib/gnome-calculator/libcalculator.so+0x13f692)
#9 0x7f6f2851a1dc (/app/lib/gnome-calculator/libcalculator.so+0x1401dc)
#10 0x7f6f2851c30d (/app/lib/gnome-calculator/libcalculator.so+0x14230d)
#11 0x7f6f25414834 (/lib/libglib-2.0.so.0+0x6e834)
#12 0x7f6f239503c3 (/lib/libpthread.so.0+0x73c3)
#13 0x7f6f2368ddec in __clone (/lib/libc.so.6+0xe8dec)
0x60200025bb91 is located 0 bytes to the right of 1-byte region [0x60200025bb90,0x60200025bb91)
allocated by thread T6 here:
#0 0x7f6f28b4cd60 in __interceptor_calloc (/usr/lib64/libasan.so.3+0xc1d60)
#1 0x7f6f253f40b0 in g_malloc0 (/lib/libglib-2.0.so.0+0x4e0b0)
#2 0x7f6f2854e91c in number_and (/app/lib/gnome-calculator/libcalculator.so+0x17491c)
#3 0x7f6f284d6923 (/app/lib/gnome-calculator/libcalculator.so+0xfc923)
#4 0x7f6f284c84f6 in lr_node_solve_lr (/app/lib/gnome-calculator/libcalculator.so+0xee4f6)
#5 0x7f6f284c7bc6 (/app/lib/gnome-calculator/libcalculator.so+0xedbc6)
#6 0x7f6f284c62b4 in parse_node_solve (/app/lib/gnome-calculator/libcalculator.so+0xec2b4)
#7 0x7f6f284dddd0 in parser_parse (/app/lib/gnome-calculator/libcalculator.so+0x103dd0)
#8 0x7f6f284b63d4 in equation_parse (/app/lib/gnome-calculator/libcalculator.so+0xdc3d4)
#9 0x7f6f28519692 (/app/lib/gnome-calculator/libcalculator.so+0x13f692)
#10 0x7f6f2851a1dc (/app/lib/gnome-calculator/libcalculator.so+0x1401dc)
#11 0x7f6f2851c30d (/app/lib/gnome-calculator/libcalculator.so+0x14230d)
#12 0x7f6f25414834 (/lib/libglib-2.0.so.0+0x6e834)
Thread T6 created by T0 here:
#0 0x7f6f28abbde9 in __interceptor_pthread_create (/usr/lib64/libasan.so.3+0x30de9)
#1 0x7f6f25431caf (/lib/libglib-2.0.so.0+0x8bcaf)
SUMMARY: AddressSanitizer: heap-buffer-overflow (/app/lib/gnome-calculator/libcalculator.so+0x17a291)
Shadow bytes around the buggy address:
0x0c0480043720: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0480043730: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0480043740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0480043750: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0480043760: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c0480043770: fa fa[01]fa fa fa 02 fa fa fa fd fd fa fa fd fa
0x0c0480043780: fa fa fd fa fa fa fd fa fa fa 02 fa fa fa fd fd
0x0c0480043790: fa fa fd fa fa fa fd fa fa fa 00 07 fa fa 00 07
0x0c04800437a0: fa fa fd fa fa fa 00 00 fa fa 00 00 fa fa 01 fa
0x0c04800437b0: fa fa 02 fa fa fa 04 fa fa fa 02 fa fa fa 06 fa
0x0c04800437c0: fa fa 06 fa fa fa 06 fa fa fa 00 00 fa fa 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==13==ABORTING
https://bugzilla.gnome.org/show_bug.cgi?id=771610
lib/number.vala | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
---
diff --git a/lib/number.vala b/lib/number.vala
index a6d0857..bab6afc 100644
--- a/lib/number.vala
+++ b/lib/number.vala
@@ -1377,7 +1377,7 @@ public class Number : Object
return new Number.integer (0);
}
- var text_out = new char[offset_out + 1];
+ var text_out = new char[offset_out + 2];
/* Perform bitwise operator on each character from right to left */
for (text_out[offset_out+1] = '\0'; offset_out >= 0; offset_out--)
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]