Some more fixes for issues found by afl/asan (#500)
* Fix uninitialized warning in lowranceusr
* Fix stack buffer overlow in lowranceusr
%15.10f may produce more characters than what fits into the
buffer of 32 bytes. Use std::isnan to avoid the sprintf.
==
2133227==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff9bab5b20 at pc 0x7fc83fd95865 bp 0x7fff9bab57e0 sp 0x7fff9bab4f70
WRITE of size 38 at 0x7fff9bab5b20 thread T0
#0 0x7fc83fd95864 in vsprintf (/lib64/libasan.so.5+0x9e864)
#1 0x7fc83fd95d1e in sprintf (/lib64/libasan.so.5+0x9ed1e)
#2 0x767bbb in lowranceusr_parse_waypt /home/gpsbabel/gpsbabel.git/lowranceusr.cc:813
#3 0x77be54 in lowranceusr_parse_waypts /home/gpsbabel/gpsbabel.git/lowranceusr.cc:1116
#4 0x781151 in data_read /home/gpsbabel/gpsbabel.git/lowranceusr.cc:1658
#5 0xc7ac71 in run /home/gpsbabel/gpsbabel.git/main.cc:339
#6 0x4cdd62 in main /home/gpsbabel/gpsbabel.git/main.cc:707
#7 0x7fc83f29d1a2 in __libc_start_main (/lib64/libc.so.6+0x271a2)
#8 0x4cef7d in _start (/home/gpsbabel/gpsbabel.git/gpsbabel+0x4cef7d)
* Ensure string is terminated mps_readstr in mapsource
When EOF or buffer limit is reached, the return buffer might not be
zero-terminated. So add termination at the end of the buffer and read
max sz - 1 bytes from file instead of sz bytes.
==
2145172==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffd2ba34e00 at pc 0x7f005812dbbd bp 0x7ffd2ba34860 sp 0x7ffd2ba34008
READ of size 1028 at 0x7ffd2ba34e00 thread T0
#0 0x7f005812dbbc (/lib64/libasan.so.5+0x67bbc)
#1 0x557c62 in QString::fromUtf8(char const*, int) /usr/include/qt5/QtCore/qstring.h:572
#2 0x557c62 in QString::operator=(char const*) /usr/include/qt5/QtCore/qstring.h:706
#3 0x557c62 in mps_waypoint_r /home/gpsbabel/gpsbabel.git/mapsource.cc:571
#4 0x55edd4 in mps_read /home/gpsbabel/gpsbabel.git/mapsource.cc:1675
#5 0xc7adb1 in run /home/gpsbabel/gpsbabel.git/main.cc:339
#6 0x4ce082 in main /home/gpsbabel/gpsbabel.git/main.cc:707
#7 0x7f005766c1a2 in __libc_start_main (/lib64/libc.so.6+0x271a2)
#8 0x4cf29d in _start (/home/gpsbabel/gpsbabel.git/gpsbabel+0x4cf29d)
Address 0x7ffd2ba34e00 is located in stack of thread T0 at offset 1344 in frame
#0 0x556e8f in mps_waypoint_r /home/gpsbabel/gpsbabel.git/mapsource.cc:507
This frame has 6 object(s):
[48, 56) 'wptdesc' (line 538)
[80, 88) '<unknown>'
[112, 120) '<unknown>'
[144, 152) '<unknown>'
[176, 276) 'tbuf' (line 508)
[320, 1344) 'wptname' (line 509) <== Memory access at offset 1344 overflows this variable
* Fix off-by-one list access in pcx reader
* Prevent stack based buffer overflow in gdb reader
* Prevent global buffer overflow in garmin_fit
The message_def array is 16 bytes long, make sure local_id stays
within range, same as in other places in garmin_fit.
Found by afl which managed to create a call to fit_parse_data_message
with a header value of 0x1f:
==
2927747==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000010a3bd8 at pc 0x000000a91bba bp 0x7ffd82584a90 sp 0x7ffd82584a80
READ of size 4 at 0x0000010a3bd8 thread T0
#0 0xa91bb9 in fit_parse_data /home/gpsbabel/gpsbabel.git/garmin_fit.cc:549
#1 0xa92ae3 in fit_parse_data_message /home/gpsbabel/gpsbabel.git/garmin_fit.cc:821
#2 0xa92ae3 in fit_parse_record /home/gpsbabel/gpsbabel.git/garmin_fit.cc:864
#3 0xa92ae3 in fit_read /home/gpsbabel/gpsbabel.git/garmin_fit.cc:884
#4 0xc7cdb1 in run /home/gpsbabel/gpsbabel.git/main.cc:339
#5 0x4ce142 in main /home/gpsbabel/gpsbabel.git/main.cc:707
#6 0x7f4f3b2651a2 in __libc_start_main (/lib64/libc.so.6+0x271a2)
#7 0x4cf35d in _start (/home/gpsbabel/gpsbabel.git/gpsbabel+0x4cf35d)
projects / gpsbabel.git / commit