babl_component_new(): fix global-buffer-overflow

If we pass a string into this function, and this string is shorter than
sizeof(Babl), macro BABL_IS_BABL() will read past string bounds,
and bad things may happen.

NOTE: if a string will be passed into this function, that is not
handled by those  if (!strcmp (arg, "<...>")),  global-buffer-overflow
will still happen. i am not sure if/what can be done about it :(

Fixes following error:
=================================================================
==28935==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f6e2393f940 at pc 0x7f6e23919b5f bp 0x7ffc7b9ca770 sp 0x7ffc7b9ca768
READ of size 4 at 0x7f6e2393f940 thread T0
    0 0x7f6e23919b5e in babl_component_new /home/lebedevri/src/_GIMP/babl/babl/babl-component.c:82
    1 0x7f6e2391cbda in babl_core_init /home/lebedevri/src/_GIMP/babl/babl/babl-core.c:96
    2 0x7f6e23919379 in babl_init /home/lebedevri/src/_GIMP/babl/babl/babl.c:145
    3 0x7f6e280ca3d1 in gegl_post_parse_hook (/usr/local/lib/libgegl-0.3.so.0+0x523d1)
    4 0x7f6e231cd238 in g_option_context_parse (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55238)
    5 0x7f6e231ce193 in g_option_context_parse_strv (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x56193)
    6 0x48b8cf in main (/usr/local/bin/gimp-2.9+0x48b8cf)
    7 0x7f6e221e1b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
    8 0x486b68 (/usr/local/bin/gimp-2.9+0x486b68)

0x7f6e2393f943 is located 0 bytes to the right of global variable '*.LC1' from 'babl-core.c' (0x7f6e2393f940) of size 3
  '*.LC1' is ascii string 'id'
SUMMARY: AddressSanitizer: global-buffer-overflow /home/lebedevri/src/_GIMP/babl/babl/babl-component.c:82 babl_component_new
Shadow bytes around the buggy address:
  0x0fee4471ff10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fee4471ff20: 05 f9 f9 f9 f9 f9 f9 f9[03]f9 f9 f9 f9 f9 f9 f9
  0x0fee4471ff30: 07 f9 f9 f9 f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==28935==ABORTING

diff --git a/babl/babl-component.c b/babl/babl-component.c
index a483b19617b41efe185b2e97d82f33d7639f21a4..c3b617e3308f0dea06712e359769f9443a450ea9 100644 (file)
--- a/babl/babl-component.c
+++ b/babl/babl-component.c
@@ -79,16 +79,8 @@ babl_component_new (void *first_arg,
       if (!arg)
         break;
 
-      if (BABL_IS_BABL (arg))
-        {
-#ifdef BABL_LOG
-          Babl *babl = (Babl *) arg;
-          babl_log ("%s unexpected", babl_class_name (babl->class_type));
-#endif
-        }
-      /* if we didn't point to a babl, we assume arguments to be strings */
-
-      else if (!strcmp (arg, "id"))
+      /* first, we assume arguments to be strings */
+      if (!strcmp (arg, "id"))
         {
           id = va_arg (varg, int);
         }
@@ -108,6 +100,15 @@ babl_component_new (void *first_arg,
           alpha = 1;
         }
 
+      /* if we didn't point to a known string, we assume argument to be babl */
+      else if (BABL_IS_BABL (arg))
+        {
+#ifdef BABL_LOG
+          Babl *babl = (Babl *) arg;
+          babl_log ("%s unexpected", babl_class_name (babl->class_type));
+#endif
+        }
+
       else
         {
           babl_fatal ("unhandled argument '%s' for component '%s'", arg, name);