commit d92ac2d1b424e059e8e81d6dd58f0ac195fe3253
parent 2ca8ede24ada82f22a77ab172a0a8214f623dc94
Author: Igor Böhm <boehm.igor@gmail.com>
Date: Sat, 25 Jul 2020 02:17:21 +0200
libdraw: fix out-of-bounds access to local buffer in event.c:startrpc()
The function `startrpc()` stack allocates a local buffer of size 100:
```c
static Muxrpc*
startrpc(int type)
{
uchar buf[100];
^^^^^^^^
Wsysmsg w;
w.type = type;
convW2M(&w, buf, sizeof buf);
return muxrpcstart(display->mux, buf);
}
```
The function `convW2M()` is called passing `buf`. That function accesses
`buf` out-of-bounds:
```c
uint
convW2M(Wsysmsg *m, uchar *p, uint n)
{
...
case Tcursor2:
PUT(p+6, m->cursor.offset.x);
PUT(p+10, m->cursor.offset.y);
memmove(p+14, m->cursor.clr, sizeof m->cursor.clr);
memmove(p+46, m->cursor.set, sizeof m->cursor.set);
PUT(p+78, m->cursor2.offset.x);
PUT(p+82, m->cursor2.offset.y);
memmove(p+86, m->cursor2.clr, sizeof m->cursor2.clr);
memmove(p+214, m->cursor2.set, sizeof m->cursor2.set);
p[342] = m->arrowcursor;
^^^^^^
```
To fix the issue the size of local variable `buf` is increased from 100
to 512 to avoid out-of-bounds array access.
Diffstat:
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/libdraw/event.c b/src/libdraw/event.c
@@ -203,7 +203,7 @@ newebuf(Slave *s, int n)
static Muxrpc*
startrpc(int type)
{
- uchar buf[100];
+ uchar buf[512];
Wsysmsg w;
w.type = type;
