[Spice-devel] [PATCH spice-gtk] util: fix off-by-one array access

Victor Toso lists at victortoso.com
Thu Jul 7 16:34:00 UTC 2016 

Hi,

On Thu, Jul 07, 2016 at 06:24:35PM +0200, marcandre.lureau at redhat.com wrote:
> From: Marc-André Lureau <marcandre.lureau at redhat.com>
> 
> Thanks to ASAN, I found this off-by-one memory access in the unix2dos
> code:
> 
> /util/unix2dos: =================================================================
> ==23589==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000dd2f at pc 0x00000040428e bp 0x7ffd6fc31b90 sp 0x7ffd6fc31b80
> READ of size 1 at 0x60200000dd2f thread T0
>     #0 0x40428d in spice_convert_newlines /home/elmarco/src/spice/spice-gtk/src/spice-util.c:355
>     #1 0x40443a in spice_unix2dos /home/elmarco/src/spice/spice-gtk/src/spice-util.c:382
>     #2 0x401eae in test_unix2dos /home/elmarco/src/spice/spice-gtk/tests/util.c:69
>     #3 0x7fb8bcd81983  (/lib64/libglib-2.0.so.0+0x6e983)
>     #4 0x7fb8bcd81b4e  (/lib64/libglib-2.0.so.0+0x6eb4e)
>     #5 0x7fb8bcd81d5d in g_test_run_suite (/lib64/libglib-2.0.so.0+0x6ed5d)
>     #6 0x7fb8bcd81d80 in g_test_run (/lib64/libglib-2.0.so.0+0x6ed80)
>     #7 0x402cce in main /home/elmarco/src/spice/spice-gtk/tests/util.c:207
>     #8 0x7fb8bc755730 in __libc_start_main (/lib64/libc.so.6+0x20730)
>     #9 0x401818 in _start (/home/elmarco/src/spice/spice-gtk/tests/util+0x401818)
> 
> 0x60200000dd2f is located 1 bytes to the left of 4-byte region [0x60200000dd30,0x60200000dd34)
> allocated by thread T0 here:
>     #0 0x7fb8c10421d0 in realloc (/lib64/libasan.so.3+0xc71d0)
>     #1 0x7fb8bcd61f1f in g_realloc (/lib64/libglib-2.0.so.0+0x4ef1f)
> 
> SUMMARY: AddressSanitizer: heap-buffer-overflow /home/elmarco/src/spice/spice-gtk/src/spice-util.c:355 in spice_convert_newlines
> 
> Signed-off-by: Marc-André Lureau <marcandre.lureau at redhat.com>
> ---
>  src/spice-util.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/src/spice-util.c b/src/spice-util.c
> index 7788921..bca3abc 100644
> --- a/src/spice-util.c
> +++ b/src/spice-util.c
> @@ -352,7 +352,7 @@ static gchar* spice_convert_newlines(const gchar *str, gssize len,
>          if (nl) {
>              /* let's not double \r if it's already in the line */
>              if (to == NEWLINE_TYPE_CR_LF &&
> -                output->str[output->len - 1] != '\r')
> +                (output->len == 0 || output->str[output->len - 1] != '\r'))
>                  g_string_append_c(output, '\r');
>  
>              g_string_append_c(output, '\n');

Acked-by: Victor Toso <victortoso at redhat.com>

> -- 
> 2.9.0
> 
> _______________________________________________
> Spice-devel mailing list
> Spice-devel at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/spice-devel

More information about the Spice-devel mailing list