From 786034dda83d5dc7e56e60e7bb074127de576642 Mon Sep 17 00:00:00 2001 From: Roman Lebedev Date: Sat, 13 Jun 2015 16:54:21 +0300 Subject: [PATCH] babl_component_new(): fix global-buffer-overflow If we pass a string into this function, and this string is shorter than sizeof(Babl), macro BABL_IS_BABL() will read past string bounds, and bad things may happen. NOTE: if a string will be passed into this function, that is not handled by those if (!strcmp (arg, "<...>")), global-buffer-overflow will still happen. i am not sure if/what can be done about it :( Fixes following error: ================================================================= ==28935==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f6e2393f940 at pc 0x7f6e23919b5f bp 0x7ffc7b9ca770 sp 0x7ffc7b9ca768 READ of size 4 at 0x7f6e2393f940 thread T0 0 0x7f6e23919b5e in babl_component_new /home/lebedevri/src/_GIMP/babl/babl/babl-component.c:82 1 0x7f6e2391cbda in babl_core_init /home/lebedevri/src/_GIMP/babl/babl/babl-core.c:96 2 0x7f6e23919379 in babl_init /home/lebedevri/src/_GIMP/babl/babl/babl.c:145 3 0x7f6e280ca3d1 in gegl_post_parse_hook (/usr/local/lib/libgegl-0.3.so.0+0x523d1) 4 0x7f6e231cd238 in g_option_context_parse (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55238) 5 0x7f6e231ce193 in g_option_context_parse_strv (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x56193) 6 0x48b8cf in main (/usr/local/bin/gimp-2.9+0x48b8cf) 7 0x7f6e221e1b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44) 8 0x486b68 (/usr/local/bin/gimp-2.9+0x486b68) 0x7f6e2393f943 is located 0 bytes to the right of global variable '*.LC1' from 'babl-core.c' (0x7f6e2393f940) of size 3 '*.LC1' is ascii string 'id' SUMMARY: AddressSanitizer: global-buffer-overflow /home/lebedevri/src/_GIMP/babl/babl/babl-component.c:82 babl_component_new Shadow bytes around the buggy address: 0x0fee4471ff10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0fee4471ff20: 05 f9 f9 f9 f9 f9 f9 f9[03]f9 f9 f9 f9 f9 f9 f9 0x0fee4471ff30: 07 f9 f9 f9 f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9 f9 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal: fe ==28935==ABORTING --- babl/babl-component.c | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/babl/babl-component.c b/babl/babl-component.c index a483b19..c3b617e 100644 --- a/babl/babl-component.c +++ b/babl/babl-component.c @@ -79,16 +79,8 @@ babl_component_new (void *first_arg, if (!arg) break; - if (BABL_IS_BABL (arg)) - { -#ifdef BABL_LOG - Babl *babl = (Babl *) arg; - babl_log ("%s unexpected", babl_class_name (babl->class_type)); -#endif - } - /* if we didn't point to a babl, we assume arguments to be strings */ - - else if (!strcmp (arg, "id")) + /* first, we assume arguments to be strings */ + if (!strcmp (arg, "id")) { id = va_arg (varg, int); } @@ -108,6 +100,15 @@ babl_component_new (void *first_arg, alpha = 1; } + /* if we didn't point to a known string, we assume argument to be babl */ + else if (BABL_IS_BABL (arg)) + { +#ifdef BABL_LOG + Babl *babl = (Babl *) arg; + babl_log ("%s unexpected", babl_class_name (babl->class_type)); +#endif + } + else { babl_fatal ("unhandled argument '%s' for component '%s'", arg, name); -- 2.30.2