[Mesa-dev] [PATCH] glsl: fix heap-buffer-overflow

[Eric Engestrom]

On Monday, 2017-01-30 21:55:49 +0100, Bartosz Tomczyk wrote:
> Found by ASAN. There is no need to add +1 to strlen, we have already add
> +1 to str_end.

The change is mathematically correct, but the commit message need
rewording:
The `end+1` skips the ']', whereas the `strlen+1` includes the final
'\0' in the move to terminate the string.

What's happening is that since we start the move at `end+1`, the length
becomes off by one.

With that fixed, this is:
Reviewed-by: Eric Engestrom <eric.engestrom at imgtec.com>

That said, a better fix IMO would be:
-               memmove(str_start, str_end + 1, 1 + strlen(str_end));
+               memmove(str_start, str_end + 1, 1 + strlen(str_end + 1));

This shows more clearly what's happening, even though this is
functionally equivalent.

Cheers,
  Eric


> ---
>  src/compiler/glsl/link_uniforms.cpp | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/src/compiler/glsl/link_uniforms.cpp b/src/compiler/glsl/link_uniforms.cpp
> index a450aa03a8..5a03257b98 100644
> --- a/src/compiler/glsl/link_uniforms.cpp
> +++ b/src/compiler/glsl/link_uniforms.cpp
> @@ -535,7 +535,7 @@ private:
>              const char *str_end;
>              while((str_start = strchr(name_copy, '[')) &&
>                    (str_end = strchr(name_copy, ']'))) {
> -               memmove(str_start, str_end + 1, 1 + strlen(str_end));
> +               memmove(str_start, str_end + 1, strlen(str_end));
>              }
>  
>              unsigned index = 0;
> -- 
> 2.11.0
>