Bug#785109: buffer overruns...

Tue, 12 May 2015 05:54:42 -0700 

Package: asylum
Version: 0.3.2-1
Tags: patch

I tried to debug the segfault I get sometime at the end of the second level. 
This is what I found. two buffer overruns... a stale FILE*...
Perhaps there's more... 
Did not get to finish the second level yet...

The keyword[12] and FILE* was found using cppcheck. 
The *spaceptr= was flagged by dmalloc:
[...]
1431426941: 40000: process pid = 4165
1431426941: 40000:   error details: checking user pointer
1431426941: 40000:   pointer '0xb5b9e008' from 'unknown' prev access 
'file.c:145'
1431426941: 40000:   dump of proper fence-top bytes: 'i\336\312\372'
1431426941: 40000:   dump of '0xb5b9e008'+28480: 
'\022\013\'\000\022\f\'\000\022\r\'\000\022\016\'\000\377\336\312\372'
1431426941: 40000:   next pointer '0xb5ba5000' (size 19657) may have run under 
from 'file.c:145'
1431426941: 40000: ERROR: _dmalloc_chunk_heap_check: failed OVER picket-fence 
magic-number check (err 27)
[...]


please apply the patch



diff -uprN ./asylum_orig/asylum.c ./asylum-0.3.2/asylum.c
--- ./asylum_orig/asylum.c	2009-08-03 00:21:07.000000000 +0200
+++ ./asylum-0.3.2/asylum.c	2015-05-12 11:09:27.000000000 +0200
@@ -665,7 +665,7 @@ char idpermitstring[] = "You are now per
 
 void loadconfig()
 {
-    char keyword[12];
+    char keyword[13];
 
     FILE* r0 = find_config(0x40); // read access
     if (r0 != NULL)
diff -uprN ./asylum_orig/file.c ./asylum-0.3.2/file.c
--- ./asylum_orig/file.c	2008-12-10 05:12:29.000000000 +0100
+++ ./asylum-0.3.2/file.c	2015-05-12 14:18:36.000000000 +0200
@@ -142,7 +142,7 @@ int loadvitalfile(char** spaceptr, char*
     strcat(fullname, r1);
     int r4 = swi_osfile(15, fullname, 0, 0);
     if (r4 <= 0) fatalfile();
-    *spaceptr = (char*)malloc(r4);
+    *spaceptr = (char*)malloc(r4+1);
     if (swi_osfile(14, fullname, *spaceptr, 0)) fatalfile();
     return r4;
 }
@@ -362,7 +362,11 @@ int swi_blitz_hammerop(int op, char* nam
         fclose(f); return op;
     }                            // file is not Hammered
 
-    if (op == 0) return 0x24000; // hack: should return length
+    if (op == 0)
+    {
+        fclose(f);
+        return 0x024000; // hack: should return length
+    }
     char a[524288];
     int p = 0;
     char c;

Reply via email to