[Wayland-bugs] [Bug 94562] compositor-drm.c memcmp use incorrect pointer leads stack-buffer-overflow
bugzilla-daemon at freedesktop.org
bugzilla-daemon at freedesktop.org
Wed Mar 16 00:05:54 UTC 2016
https://bugs.freedesktop.org/show_bug.cgi?id=94562
Bug ID: 94562
Summary: compositor-drm.c memcmp use incorrect pointer leads
stack-buffer-overflow
Product: Wayland
Version: unspecified
Hardware: Other
OS: All
Status: NEW
Severity: normal
Priority: medium
Component: weston
Assignee: wayland-bugs at lists.freedesktop.org
Reporter: comicfans44 at gmail.com
function
drm_output_choose_initial_mode
(struct drm_output *output,
enum output_config kind,
int width, int height,
const drmModeModeInfo *current_mode, -----> already pointer to struct
const drmModeModeInfo *modeline)
line 2215:
if (memcmp(¤t_mode, ------> incorrect
&drm_mode->mode_info,
sizeof *current_mode) == 0)
address sanitizer:
==13723==ERROR: AddressSanitizer: stack-buffer-overflow on address 0xbf9eeee4
at pc 0xb72b9d87 bp 0xbf9eecc8 sp 0xbf9ee89c
READ of size 68 at 0xbf9eeee4 thread T0
#0 0xb72b9d86 in __interceptor_memcmp
/build/gcc/src/gcc-5-20160209/libsanitizer/asan/asan_interceptors.cc:332
#1 0xb5b3a371 in drm_output_choose_initial_mode src/compositor-drm.c:2215
#2 0xb5b3a371 in create_output_for_connector src/compositor-drm.c:2392
#3 0xb5b3e012 in create_outputs src/compositor-drm.c:2591
#4 0xb5b3e012 in drm_backend_create src/compositor-drm.c:3165
#5 0xb5b3e012 in backend_init src/compositor-drm.c:3265
#6 0x8050015 in load_backend_old src/main.c:653
#7 0x8050015 in load_backend src/main.c:677
#8 0x8050015 in main src/main.c:781
#9 0xb6f36526 in __libc_start_main (/usr/lib/libc.so.6+0x18526)
#10 0x8050d4a (/usr/bin/weston+0x8050d4a)
Address 0xbf9eeee4 is located in stack of thread T0 at offset 356 in frame
#0 0xb5b38fcf in create_output_for_connector src/compositor-drm.c:2298
This frame has 11 object(s):
[32, 36) 'width'
[96, 100) 'height'
[160, 164) 'scale'
[224, 228) 's'
[288, 292) 'transform'
[352, 356) 'current_mode'
[416, 484) 'crtc_mode' <== Memory access at offset 356 partially underflows
this variable
[544, 612) 'modeline'
[672, 688) 'hsync'
[736, 752) 'vsync'
[800, 832) 'name'
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow
/build/gcc/src/gcc-5-20160209/libsanitizer/asan/asan_interceptors.cc:332
__interceptor_memcmp
Shadow bytes around the buggy address:
0x37f3dd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x37f3dd90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x37f3dda0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x37f3ddb0: f1 f1 f1 f1 04 f4 f4 f4 f2 f2 f2 f2 04 f4 f4 f4
0x37f3ddc0: f2 f2 f2 f2 04 f4 f4 f4 f2 f2 f2 f2 04 f4 f4 f4
=>0x37f3ddd0: f2 f2 f2 f2 04 f4 f4 f4 f2 f2 f2 f2[04]f4 f4 f4
0x37f3dde0: f2 f2 f2 f2 00 00 00 00 00 00 00 00 04 f4 f4 f4
0x37f3ddf0: f2 f2 f2 f2 00 00 00 00 00 00 00 00 04 f4 f4 f4
0x37f3de00: f2 f2 f2 f2 00 00 f4 f4 f2 f2 f2 f2 00 00 f4 f4
0x37f3de10: f2 f2 f2 f2 00 00 00 00 f3 f3 f3 f3 f3 f3 f3 f3
0x37f3de20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==13723==ABORTING
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/wayland-bugs/attachments/20160316/01faa638/attachment.html>
More information about the wayland-bugs
mailing list