[gnome-calculator] number: do not access text_out beyond its bounds in bitwise function



commit c5f59e371704183141f92893f85e59f451648844
Author: Tobias Mueller <muelli cryptobitch de>
Date:   Sun Sep 18 06:57:06 2016 +0200

    number: do not access text_out beyond its bounds in bitwise function
    
    The text_out buffer has just been created as a char array with
    offset_out + 1 elements. So we can access element 0 to offset_out.
    offset_out+1 is beyond the bounds.  We simply increase the size by one.
    While this fixes this issue, I think it is not the most elegant
    solution.
    
    I found this with ASan when opening programming mode and then pressing, e.g.
    7 AND 3 Enter:
    =================================================================
    ==13==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200025bb91 at pc 0x7f6f28554292 bp 
0x7f6f15cdfba0 sp 0x7f6f15cdfb98
    WRITE of size 1 at 0x60200025bb91 thread T6
        #0 0x7f6f28554291  (/app/lib/gnome-calculator/libcalculator.so+0x17a291)
        #1 0x7f6f2854e91c in number_and (/app/lib/gnome-calculator/libcalculator.so+0x17491c)
        #2 0x7f6f284d6923  (/app/lib/gnome-calculator/libcalculator.so+0xfc923)
        #3 0x7f6f284c84f6 in lr_node_solve_lr (/app/lib/gnome-calculator/libcalculator.so+0xee4f6)
        #4 0x7f6f284c7bc6  (/app/lib/gnome-calculator/libcalculator.so+0xedbc6)
        #5 0x7f6f284c62b4 in parse_node_solve (/app/lib/gnome-calculator/libcalculator.so+0xec2b4)
        #6 0x7f6f284dddd0 in parser_parse (/app/lib/gnome-calculator/libcalculator.so+0x103dd0)
        #7 0x7f6f284b63d4 in equation_parse (/app/lib/gnome-calculator/libcalculator.so+0xdc3d4)
        #8 0x7f6f28519692  (/app/lib/gnome-calculator/libcalculator.so+0x13f692)
        #9 0x7f6f2851a1dc  (/app/lib/gnome-calculator/libcalculator.so+0x1401dc)
        #10 0x7f6f2851c30d  (/app/lib/gnome-calculator/libcalculator.so+0x14230d)
        #11 0x7f6f25414834  (/lib/libglib-2.0.so.0+0x6e834)
        #12 0x7f6f239503c3  (/lib/libpthread.so.0+0x73c3)
        #13 0x7f6f2368ddec in __clone (/lib/libc.so.6+0xe8dec)
    
    0x60200025bb91 is located 0 bytes to the right of 1-byte region [0x60200025bb90,0x60200025bb91)
    allocated by thread T6 here:
        #0 0x7f6f28b4cd60 in __interceptor_calloc (/usr/lib64/libasan.so.3+0xc1d60)
        #1 0x7f6f253f40b0 in g_malloc0 (/lib/libglib-2.0.so.0+0x4e0b0)
        #2 0x7f6f2854e91c in number_and (/app/lib/gnome-calculator/libcalculator.so+0x17491c)
        #3 0x7f6f284d6923  (/app/lib/gnome-calculator/libcalculator.so+0xfc923)
        #4 0x7f6f284c84f6 in lr_node_solve_lr (/app/lib/gnome-calculator/libcalculator.so+0xee4f6)
        #5 0x7f6f284c7bc6  (/app/lib/gnome-calculator/libcalculator.so+0xedbc6)
        #6 0x7f6f284c62b4 in parse_node_solve (/app/lib/gnome-calculator/libcalculator.so+0xec2b4)
        #7 0x7f6f284dddd0 in parser_parse (/app/lib/gnome-calculator/libcalculator.so+0x103dd0)
        #8 0x7f6f284b63d4 in equation_parse (/app/lib/gnome-calculator/libcalculator.so+0xdc3d4)
        #9 0x7f6f28519692  (/app/lib/gnome-calculator/libcalculator.so+0x13f692)
        #10 0x7f6f2851a1dc  (/app/lib/gnome-calculator/libcalculator.so+0x1401dc)
        #11 0x7f6f2851c30d  (/app/lib/gnome-calculator/libcalculator.so+0x14230d)
        #12 0x7f6f25414834  (/lib/libglib-2.0.so.0+0x6e834)
    
    Thread T6 created by T0 here:
        #0 0x7f6f28abbde9 in __interceptor_pthread_create (/usr/lib64/libasan.so.3+0x30de9)
        #1 0x7f6f25431caf  (/lib/libglib-2.0.so.0+0x8bcaf)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow (/app/lib/gnome-calculator/libcalculator.so+0x17a291)
    Shadow bytes around the buggy address:
      0x0c0480043720: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0480043730: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0480043740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0480043750: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0480043760: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    =>0x0c0480043770: fa fa[01]fa fa fa 02 fa fa fa fd fd fa fa fd fa
      0x0c0480043780: fa fa fd fa fa fa fd fa fa fa 02 fa fa fa fd fd
      0x0c0480043790: fa fa fd fa fa fa fd fa fa fa 00 07 fa fa 00 07
      0x0c04800437a0: fa fa fd fa fa fa 00 00 fa fa 00 00 fa fa 01 fa
      0x0c04800437b0: fa fa 02 fa fa fa 04 fa fa fa 02 fa fa fa 06 fa
      0x0c04800437c0: fa fa 06 fa fa fa 06 fa fa fa 00 00 fa fa 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Heap right redzone:      fb
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack partial redzone:   f4
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==13==ABORTING
    
    https://bugzilla.gnome.org/show_bug.cgi?id=771610

 lib/number.vala |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)
---
diff --git a/lib/number.vala b/lib/number.vala
index a6d0857..bab6afc 100644
--- a/lib/number.vala
+++ b/lib/number.vala
@@ -1377,7 +1377,7 @@ public class Number : Object
             return new Number.integer (0);
         }
 
-        var text_out = new char[offset_out + 1];
+        var text_out = new char[offset_out + 2];
 
         /* Perform bitwise operator on each character from right to left */
         for (text_out[offset_out+1] = '\0'; offset_out >= 0; offset_out--)


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]