You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

50 lines
2.2 KiB

From 58f4a6f93b10d3ba65d9d62f128a30ffba2de72e Mon Sep 17 00:00:00 2001
From: Mamoru TASAKA <mtasaka@fedoraproject.org>
Date: Sun, 15 Apr 2018 15:12:11 +0900
Subject: [PATCH] crumbler: fix color overvalue when accessing colors array
gcc8 -fsanitize=address detects the following error:
==30292==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62900003b8b8 at pc 0x00000040b27a bp 0x7fff47820090 sp 0x7fff47820080
READ of size 2 at 0x62900003b8b8 thread T0
#0 0x40b279 in draw_chunk ../../../hacks/glx/crumbler.c:680
#1 0x4129ac in draw_crumbler ../../../hacks/glx/crumbler.c:795
#2 0x439a21 in xlockmore_draw ../../hacks/xlockmore.c:628
#3 0x408dbe in run_screenhack_table ../../hacks/screenhack.c:586
#4 0x408dbe in main ../../hacks/screenhack.c:967
#5 0x7fa8ac7901ba in __libc_start_main ../csu/libc-start.c:308
#6 0x40a4a9 in _start (/home/tasaka1/rpmbuild/fedora-specific/xscreensaver/master/xscreensaver-5.39/x86_64-pc-linux-gnu/hacks/glx/crumbler+0x40a4a9)
0x62900003b8b8 is located 1720 bytes to the right of 16384-byte region [0x629000037200,0x62900003b200)
allocated by thread T0 here:
#0 0x7fa8b054de50 in calloc (/lib64/libasan.so.5+0xeee50)
#1 0x40fe98 in init_crumbler ../../../hacks/glx/crumbler.c:633
#2 0x3f7fffffffffffff (<unknown module>)
SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../hacks/glx/crumbler.c:680 in draw_chunk
Apparently at the line 680, c->color is oversized. I guess at the lines 367-368, parentheses are
incorrectly added: c2->color should have the value no more than bp->ncolors - 1.
---
hacks/glx/crumbler.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/hacks/glx/crumbler.c b/hacks/glx/crumbler.c
index cf21a94..f9a908a 100644
--- a/hacks/glx/crumbler.c
+++ b/hacks/glx/crumbler.c
@@ -364,8 +364,8 @@ split_chunk (ModeInfo *mi, chunk *c, int nchunks)
chunks[i] = c2;
chunks[i]->nverts = 0;
c2->verts = (qh_vertex_t *) calloc (c->nverts, sizeof(*c2->verts));
- c2->color = (c->color + (random() % (1 + (bp->ncolors / 3)))
- % bp->ncolors);
+ c2->color = (c->color + (random() % (1 + (bp->ncolors / 3))))
+ % bp->ncolors;
}
/* Add the verts to the approprate chunks
--
2.17.0