Fix buffer overflow in GTerm::update_changes()

Increase the buffer size by one byte to fix an AddressSanitizer error as
shown below. It's possible that the bug is in the values passed to
wxTerm::DrawText, but simply increasing the buffer size avoids the
error.

==94572==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62a000053020 at pc 0x00000048bd3c bp 0x7ffdf5219130 sp 0x7ffdf5219128
READ of size 1 at 0x62a000053020 thread T0
    #0 0x48bd3b in wxTerm::DrawText(int, int, int, int, int, int, unsigned char*) TerminalWx/src/taTelnet/wxterm.cpp:1250
    #1 0x497ee3 in GTerm::update_changes() TerminalWx/src/GTerm/utils.cpp:75
    #2 0x48e4e5 in wxTerm::ProcessInput(int, unsigned char*) TerminalWx/src/taTelnet/wxterm.cpp:1754
    #3 0x47f31b in TerminalWx::DisplayCharsUnsafe(wxString const&) TerminalWx/src/terminalwx.cpp:62
    #4 0x49c60e in redirectDfuOutput /home/builder/SCSI2SD-V6/src/scsi2sd-util6/scsi2sd-util.cc:717
    #5 0x4a4131 in OnID_Timer /home/builder/SCSI2SD-V6/src/scsi2sd-util6/scsi2sd-util.cc:784
    #6 0x7f0d2063a26d in wxEvtHandler::ProcessEventIfMatchesId(wxEventTableEntryBase const&, wxEvtHandler*, wxEvent&) (/lib64/libwx_baseu-3.0.so.0+0x17726d)
    #7 0x7f0d2063c212 in wxEventHashTable::HandleEvent(wxEvent&, wxEvtHandler*) (/lib64/libwx_baseu-3.0.so.0+0x179212)
    #8 0x7f0d2063c4eb in wxEvtHandler::TryHereOnly(wxEvent&) (/lib64/libwx_baseu-3.0.so.0+0x1794eb)
    #9 0x7f0d2063c57a in wxEvtHandler::ProcessEventLocally(wxEvent&) (/lib64/libwx_baseu-3.0.so.0+0x17957a)
    #10 0x7f0d2063c660 in wxEvtHandler::ProcessEvent(wxEvent&) (/lib64/libwx_baseu-3.0.so.0+0x179660)
    #11 0x7f0d2063a476 in wxEvtHandler::SafelyProcessEvent(wxEvent&) (/lib64/libwx_baseu-3.0.so.0+0x177476)
    #12 0x7f0d205dd9af in wxTimerImpl::SendEvent() (/lib64/libwx_baseu-3.0.so.0+0x11a9af)
    #13 0x7f0d209cfe91  (/lib64/libwx_gtk3u_core-3.0.so.0+0x291e91)
    #14 0x7f0d1f44566c  (/lib64/libglib-2.0.so.0+0x5266c)
    #15 0x7f0d1f444ff6 in g_main_context_dispatch (/lib64/libglib-2.0.so.0+0x51ff6)
    #16 0x7f0d1f495b87  (/lib64/libglib-2.0.so.0+0xa2b87)
    #17 0x7f0d1f4446ca in g_main_loop_run (/lib64/libglib-2.0.so.0+0x516ca)
    #18 0x7f0d1f98620c in gtk_main (/lib64/libgtk-3.so.0+0x24420c)
    #19 0x7f0d209c4834 in wxGUIEventLoop::DoRun() (/lib64/libwx_gtk3u_core-3.0.so.0+0x286834)
    #20 0x7f0d2056c1bc in wxEventLoopBase::Run() (/lib64/libwx_baseu-3.0.so.0+0xa91bc)
    #21 0x7f0d20549d79 in wxAppConsoleBase::MainLoop() (/lib64/libwx_baseu-3.0.so.0+0x86d79)
    #22 0x7f0d205a447b in wxEntry(int&, wchar_t**) (/lib64/libwx_baseu-3.0.so.0+0xe147b)
    #23 0x4252d6 in main /home/builder/SCSI2SD-V6/src/scsi2sd-util6/scsi2sd-util.cc:1123
    #24 0x7f0d1ff1a1e1 in __libc_start_main (/lib64/libc.so.6+0x281e1)
    #25 0x42610d in _start (/home/builder/SCSI2SD-V6/src/scsi2sd-util6/build/linux/scsi2sd-util6+0x42610d)

0x62a000053020 is located 0 bytes to the right of 20000-byte region [0x62a00004e200,0x62a000053020)
allocated by thread T0 here:
    #0 0x7f0d21183d17 in operator new[](unsigned long) (/lib64/libasan.so.6+0xacd17)
    #1 0x49169f in GTerm::GTerm(int, int) TerminalWx/src/GTerm/gterm.cpp:86

diff --git a/src/scsi2sd-util6/TerminalWx/src/GTerm/gterm.cpp b/src/scsi2sd-util6/TerminalWx/src/GTerm/gterm.cpp
index ac7bd6de73f5409ce83fbaa51b5ad3928c2a9839..cbcd7761e4a19cd61032e74ad5a3c032352edfec 100644 (file)
--- a/src/scsi2sd-util6/TerminalWx/src/GTerm/gterm.cpp
+++ b/src/scsi2sd-util6/TerminalWx/src/GTerm/gterm.cpp
@@ -83,7 +83,7 @@ GTerm::GTerm(int w, int h) : width(w), height(h)
        doing_update = 0;
 
        // could make this dynamic
-       text = new unsigned char[MAXWIDTH*MAXHEIGHT];
+       text = new unsigned char[MAXWIDTH*MAXHEIGHT+1];
        color = new unsigned short[MAXWIDTH*MAXHEIGHT];
 
        for (i=0; i<MAXHEIGHT; i++) {