projects / gpsbabel.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: f518d7d) | patch
Some fixes for issues found with afl and address sanitizer (#499)
authorRalf Horstmann <ralf+github@ackstorm.de>
Sun, 9 Feb 2020 17:02:34 +0000 (18:02 +0100)
committerGitHub <noreply@github.com>
Sun, 9 Feb 2020 17:02:34 +0000 (10:02 -0700)
commitdffeece0abc7d97a2a6174cb997a12d26269dcd8
tree32543cd66334e8da21916a9166ae3b3aeeef2c44tree | snapshot
parentf518d7d9675b48ef3f3c5466811c21afa2b2011dcommit | diff
Some fixes for issues found with afl and address sanitizer (#499)

* Fix off-by-one in nmea reader

Found with afl and address sanitizer:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==2615627==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f54eaa53683 bp 0x7ffd187eed00 sp 0x7ffd187ee4b8 T0)
==2615627==The signal is caused by a READ memory access.
==2615627==Hint: address points to the zero page.
    #0 0x7f54eaa53682 in QString::chop(int) (/lib64/libQt5Core.so.5+0x13c682)
    #1 0x5e8d7f in gpgsa_parse /home/gpsbabel/gpsbabel.git/nmea.cc:744
    #2 0x5e8d7f in nmea_parse_one_line /home/gpsbabel/gpsbabel.git/nmea.cc:1021
    #3 0x5f0b6f in nmea_read /home/gpsbabel/gpsbabel.git/nmea.cc:1096
    #4 0xc7e483 in run /home/gpsbabel/gpsbabel.git/main.cc:339
    #5 0x4ced15 in main /home/gpsbabel/gpsbabel.git/main.cc:707
    #6 0x7f54ea3f71a2 in __libc_start_main (/lib64/libc.so.6+0x271a2)
    #7 0x4cffdd in _start (/home/gpsbabel/gpsbabel.git/gpsbabel+0x4cffdd)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib64/libQt5Core.so.5+0x13c682) in QString::chop(int)
==2615627==ABORTING

* Fix heap buffer overflow in igc reader

In gbfgetstr(), when file->buff contains exactly file->buffsz
characters including null termination, there is no room to
append another character with strcat() in igc.cc

Found by afl with address sanitizer:

==2082077==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x611000001f40 at pc 0x7f5a4e0da6cd bp 0x7ffd14ffe040 sp 0x7ffd14ffd7e8
WRITE of size 2 at 0x611000001f40 thread T0
    #0 0x7f5a4e0da6cc  (/lib64/libasan.so.5+0x9b6cc)
    #1 0x7327cf in data_read /home/gpsbabel/gpsbabel.git/igc.cc:334
    #2 0xc7a3c1 in run /home/gpsbabel/gpsbabel.git/main.cc:339
    #3 0x4cddf2 in main /home/gpsbabel/gpsbabel.git/main.cc:707
    #4 0x7f5a4d5e51a2 in __libc_start_main (/lib64/libc.so.6+0x271a2)
    #5 0x4cf00d in _start (/home/gpsbabel/gpsbabel.git/gpsbabel+0x4cf00d)

0x611000001f40 is located 0 bytes to the right of 256-byte region [0x611000001e40,0x611000001f40)

* Fix endless loop in mapsource

The loop around gbfread needs a check for eof, otherwise it
may never terminate with special input created by afl.
igc.cc diff | blob | history
mapsource.cc diff | blob | history
nmea.cc diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.