From 46158e810b6e6e883657f4bdd1195abf7fb3cf1a Mon Sep 17 00:00:00 2001 From: Jonathan Wakely Date: Thu, 18 Feb 2021 17:14:02 +0000 Subject: [PATCH] Fix buffer overflow in GTerm::update_changes() Increase the buffer size by one byte to fix an AddressSanitizer error as shown below. It's possible that the bug is in the values passed to wxTerm::DrawText, but simply increasing the buffer size avoids the error. ==94572==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62a000053020 at pc 0x00000048bd3c bp 0x7ffdf5219130 sp 0x7ffdf5219128 READ of size 1 at 0x62a000053020 thread T0 #0 0x48bd3b in wxTerm::DrawText(int, int, int, int, int, int, unsigned char*) TerminalWx/src/taTelnet/wxterm.cpp:1250 #1 0x497ee3 in GTerm::update_changes() TerminalWx/src/GTerm/utils.cpp:75 #2 0x48e4e5 in wxTerm::ProcessInput(int, unsigned char*) TerminalWx/src/taTelnet/wxterm.cpp:1754 #3 0x47f31b in TerminalWx::DisplayCharsUnsafe(wxString const&) TerminalWx/src/terminalwx.cpp:62 #4 0x49c60e in redirectDfuOutput /home/builder/SCSI2SD-V6/src/scsi2sd-util6/scsi2sd-util.cc:717 #5 0x4a4131 in OnID_Timer /home/builder/SCSI2SD-V6/src/scsi2sd-util6/scsi2sd-util.cc:784 #6 0x7f0d2063a26d in wxEvtHandler::ProcessEventIfMatchesId(wxEventTableEntryBase const&, wxEvtHandler*, wxEvent&) (/lib64/libwx_baseu-3.0.so.0+0x17726d) #7 0x7f0d2063c212 in wxEventHashTable::HandleEvent(wxEvent&, wxEvtHandler*) (/lib64/libwx_baseu-3.0.so.0+0x179212) #8 0x7f0d2063c4eb in wxEvtHandler::TryHereOnly(wxEvent&) (/lib64/libwx_baseu-3.0.so.0+0x1794eb) #9 0x7f0d2063c57a in wxEvtHandler::ProcessEventLocally(wxEvent&) (/lib64/libwx_baseu-3.0.so.0+0x17957a) #10 0x7f0d2063c660 in wxEvtHandler::ProcessEvent(wxEvent&) (/lib64/libwx_baseu-3.0.so.0+0x179660) #11 0x7f0d2063a476 in wxEvtHandler::SafelyProcessEvent(wxEvent&) (/lib64/libwx_baseu-3.0.so.0+0x177476) #12 0x7f0d205dd9af in wxTimerImpl::SendEvent() (/lib64/libwx_baseu-3.0.so.0+0x11a9af) #13 0x7f0d209cfe91 (/lib64/libwx_gtk3u_core-3.0.so.0+0x291e91) #14 0x7f0d1f44566c (/lib64/libglib-2.0.so.0+0x5266c) #15 0x7f0d1f444ff6 in g_main_context_dispatch (/lib64/libglib-2.0.so.0+0x51ff6) #16 0x7f0d1f495b87 (/lib64/libglib-2.0.so.0+0xa2b87) #17 0x7f0d1f4446ca in g_main_loop_run (/lib64/libglib-2.0.so.0+0x516ca) #18 0x7f0d1f98620c in gtk_main (/lib64/libgtk-3.so.0+0x24420c) #19 0x7f0d209c4834 in wxGUIEventLoop::DoRun() (/lib64/libwx_gtk3u_core-3.0.so.0+0x286834) #20 0x7f0d2056c1bc in wxEventLoopBase::Run() (/lib64/libwx_baseu-3.0.so.0+0xa91bc) #21 0x7f0d20549d79 in wxAppConsoleBase::MainLoop() (/lib64/libwx_baseu-3.0.so.0+0x86d79) #22 0x7f0d205a447b in wxEntry(int&, wchar_t**) (/lib64/libwx_baseu-3.0.so.0+0xe147b) #23 0x4252d6 in main /home/builder/SCSI2SD-V6/src/scsi2sd-util6/scsi2sd-util.cc:1123 #24 0x7f0d1ff1a1e1 in __libc_start_main (/lib64/libc.so.6+0x281e1) #25 0x42610d in _start (/home/builder/SCSI2SD-V6/src/scsi2sd-util6/build/linux/scsi2sd-util6+0x42610d) 0x62a000053020 is located 0 bytes to the right of 20000-byte region [0x62a00004e200,0x62a000053020) allocated by thread T0 here: #0 0x7f0d21183d17 in operator new[](unsigned long) (/lib64/libasan.so.6+0xacd17) #1 0x49169f in GTerm::GTerm(int, int) TerminalWx/src/GTerm/gterm.cpp:86 --- src/scsi2sd-util6/TerminalWx/src/GTerm/gterm.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/scsi2sd-util6/TerminalWx/src/GTerm/gterm.cpp b/src/scsi2sd-util6/TerminalWx/src/GTerm/gterm.cpp index ac7bd6de..cbcd7761 100644 --- a/src/scsi2sd-util6/TerminalWx/src/GTerm/gterm.cpp +++ b/src/scsi2sd-util6/TerminalWx/src/GTerm/gterm.cpp @@ -83,7 +83,7 @@ GTerm::GTerm(int w, int h) : width(w), height(h) doing_update = 0; // could make this dynamic - text = new unsigned char[MAXWIDTH*MAXHEIGHT]; + text = new unsigned char[MAXWIDTH*MAXHEIGHT+1]; color = new unsigned short[MAXWIDTH*MAXHEIGHT]; for (i=0; i