From 58f4a6f93b10d3ba65d9d62f128a30ffba2de72e Mon Sep 17 00:00:00 2001 From: Mamoru TASAKA Date: Sun, 15 Apr 2018 15:12:11 +0900 Subject: [PATCH] crumbler: fix color overvalue when accessing colors array gcc8 -fsanitize=address detects the following error: ==30292==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62900003b8b8 at pc 0x00000040b27a bp 0x7fff47820090 sp 0x7fff47820080 READ of size 2 at 0x62900003b8b8 thread T0 #0 0x40b279 in draw_chunk ../../../hacks/glx/crumbler.c:680 #1 0x4129ac in draw_crumbler ../../../hacks/glx/crumbler.c:795 #2 0x439a21 in xlockmore_draw ../../hacks/xlockmore.c:628 #3 0x408dbe in run_screenhack_table ../../hacks/screenhack.c:586 #4 0x408dbe in main ../../hacks/screenhack.c:967 #5 0x7fa8ac7901ba in __libc_start_main ../csu/libc-start.c:308 #6 0x40a4a9 in _start (/home/tasaka1/rpmbuild/fedora-specific/xscreensaver/master/xscreensaver-5.39/x86_64-pc-linux-gnu/hacks/glx/crumbler+0x40a4a9) 0x62900003b8b8 is located 1720 bytes to the right of 16384-byte region [0x629000037200,0x62900003b200) allocated by thread T0 here: #0 0x7fa8b054de50 in calloc (/lib64/libasan.so.5+0xeee50) #1 0x40fe98 in init_crumbler ../../../hacks/glx/crumbler.c:633 #2 0x3f7fffffffffffff () SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../hacks/glx/crumbler.c:680 in draw_chunk Apparently at the line 680, c->color is oversized. I guess at the lines 367-368, parentheses are incorrectly added: c2->color should have the value no more than bp->ncolors - 1. --- hacks/glx/crumbler.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hacks/glx/crumbler.c b/hacks/glx/crumbler.c index cf21a94..f9a908a 100644 --- a/hacks/glx/crumbler.c +++ b/hacks/glx/crumbler.c @@ -364,8 +364,8 @@ split_chunk (ModeInfo *mi, chunk *c, int nchunks) chunks[i] = c2; chunks[i]->nverts = 0; c2->verts = (qh_vertex_t *) calloc (c->nverts, sizeof(*c2->verts)); - c2->color = (c->color + (random() % (1 + (bp->ncolors / 3))) - % bp->ncolors); + c2->color = (c->color + (random() % (1 + (bp->ncolors / 3)))) + % bp->ncolors; } /* Add the verts to the approprate chunks -- 2.17.0