diff options
| author | Jeremy Huddleston Sequoia <jeremyhu@apple.com> | 2022-12-11 16:50:42 -0800 |
|---|---|---|
| committer | Jeremy Huddleston Sequoia <jeremyhu@apple.com> | 2022-12-11 16:51:41 -0800 |
| commit | e041fe4fbd94136820ddaaa9ac9235f739e7590f (patch) | |
| tree | 7eefe8a85f5cca73a676fed87a4128e5f4f6b8ea /src | |
| parent | afa7fba657ffcd6e5743882d4b1b878ecfc8dc55 (diff) | |
AddResponseToBuffer: Copy respose data as well to avoid use after scope
==88383==ERROR: AddressSanitizer: stack-use-after-scope on address 0x00016f431d70 at pc 0x000100e08d14 bp 0x00016f429670 sp 0x00016f428e28
READ of size 32 at 0x00016f431d70 thread T0
#0 0x100e08d10 in __asan_memcpy+0x1a4 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x3cd10)
#1 0x1009e2660 in HandleClientResponses server.c:372
#2 0x1009e2214 in HandleClientRequest server.c:685
#3 0x1009df314 in XhivRunServer server.c:715
#4 0x1009ded40 in XhivOpenServer server.c:822
#5 0x1009cfb3c in XhivOpenDisplay xlib_client.c:55
#6 0x1009cf614 in testOverflowFields XQueryFont.c:101
#7 0x1009ce2b0 in main XQueryFont.c:133
#8 0x197de3e4c (<unknown module>)
Address 0x00016f431d70 is located in stack of thread T0 at offset 560 in frame
#0 0x1009dfd44 in HandleClientRequest server.c:461
This frame has 11 object(s):
[32, 36) 'req' (line 483)
[48, 52) 'length' (line 485)
[64, 96) 'extension' (line 534)
[128, 184) 'default_qext_response' (line 551)
[224, 256) 'getp_reply' (line 597)
[288, 344) 'getp_response' (line 605)
[384, 416) 'getif_reply' (line 619)
[448, 504) 'getif_response' (line 625)
[544, 548) 'newseq' (line 638)
[560, 592) 'bigreq_reply' (line 653) <== Memory access at offset 560 is inside this variable
[624, 680) 'bigreq_response' (line 658)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-use-after-scope (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x3cd10) in __asan_memcpy+0x1a4
Fixes: https://gitlab.freedesktop.org/xorg/test/xhiv/-/issues/1
Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Diffstat (limited to 'src')
| -rw-r--r-- | src/server.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/src/server.c b/src/server.c index 51bdf91..0f290e9 100644 --- a/src/server.c +++ b/src/server.c @@ -237,10 +237,14 @@ AddResponseToBuffer(client_response_buffer *crb, const xhiv_response *response, uint64_t total_bytes= ((uint64_t) r->length) << 2; assert(total_bytes >= r->response_datalen); - new_crb = calloc(1, sizeof(client_response_buffer)); + /* Allocate enough for the client_response_buffer and the response data) */ + new_crb = calloc(1, sizeof(client_response_buffer) + r->response_datalen); assert(new_crb != NULL); - new_crb->response_data = r->response_data; + void *new_response_data = (void *)((char *)new_crb + sizeof(client_response_buffer)); + memcpy(new_response_data, r->response_data, r->response_datalen); + + new_crb->response_data = new_response_data; new_crb->response_datalen = r->response_datalen; new_crb->length = r->length; new_crb->response_sequence = (r->flags & XHIV_NO_SET_SEQUENCE) |