[Spice-devel] [PATCH spice-gtk 2/2] usbutil: fix crash on windows

Marc-André Lureau marcandre.lureau at gmail.com
Wed Jul 11 05:45:27 PDT 2012 

vendor_count is the last access index, the actually count is +1.

On Windows, it crashes later on because of corrupted memory.

Thanks to valgrind for this precious help:

==4535== Invalid write of size 2
==4535==    at 0x40197E: spice_usbutil_parse_usbids (usbutil.c:170)
==4535==    by 0x401CEC: spice_usbutil_load_usbids (usbutil.c:241)
==4535==    by 0x4020C6: main (usbutil.c:322)
==4535==  Address 0x56b740c is 12 bytes after a block of size 348,160 alloc'd
==4535==    at 0x4A0884D: malloc (vg_replace_malloc.c:263)
==4535==    by 0x4EAAEBE: g_malloc (gmem.c:159)
==4535==    by 0x401847: spice_usbutil_parse_usbids (usbutil.c:156)
==4535==    by 0x401CEC: spice_usbutil_load_usbids (usbutil.c:241)
==4535==    by 0x4020C6: main (usbutil.c:322)
==4535==
---
 gtk/usbutil.c |   17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/gtk/usbutil.c b/gtk/usbutil.c
index 3bd7660..0649794 100644
--- a/gtk/usbutil.c
+++ b/gtk/usbutil.c
@@ -19,7 +19,9 @@
    License along with this library; if not, see <http://www.gnu.org/licenses/>.
 */
 
-#include "config.h"
+#ifdef HAVE_CONFIG_H
+# include "config.h"
+#endif
 
 #include <glib-object.h>
 #include <glib/gi18n.h>
@@ -149,7 +151,7 @@ static gboolean spice_usbutil_parse_usbids(gchar *path)
         usbids_vendor_count++;
     }
 
-    usbids_vendor_info = g_new(usb_vendor_info, usbids_vendor_count);
+    usbids_vendor_info = g_new(usb_vendor_info, usbids_vendor_count + 1);
     product_info = g_new(usb_product_info, product_count);
 
     usbids_vendor_count = 0;
@@ -162,6 +164,7 @@ static gboolean spice_usbutil_parse_usbids(gchar *path)
         id = strtoul(line, &line, 16);
         while (isspace(line[0]))
             line++;
+
         usbids_vendor_info[usbids_vendor_count].vendor_id = id;
         snprintf(usbids_vendor_info[usbids_vendor_count].name,
                  VENDOR_NAME_LEN, "%s", line);
@@ -309,3 +312,13 @@ void spice_usb_util_get_device_strings(int bus, int address,
 }
 
 #endif
+
+#ifdef USBUTIL_TEST
+int main()
+{
+    if (spice_usbutil_load_usbids())
+        exit(0);
+
+    exit(1);
+}
+#endif
-- 
1.7.10.4

More information about the Spice-devel mailing list