Opened 9 years ago

Closed 9 years ago

#6990 closed bug (fixed)

[runtime_loader] possible out of bound array access

Reported by: korli Owned by: tqh
Priority: normal Milestone: R1
Component: System/runtime_loader Version: R1/Development
Keywords: Cc:
Blocked By: Blocking:
Has a Patch: no Platform: All

Description

Beginning in hrev31115: http://svn.berlios.de/viewcvs/haiku/haiku/trunk/src/system/runtime_loader/images.cpp?r1=31113&r2=31115

in map_image(), when i is zero, an uninitialized loadAddress is used (CID 1972) and image->regions[i - 1] is accessed (i is unsigned).

295 	for (uint32 i = 0; i < image->num_regions; i++) {
296 	// for BeOS compatibility: if we load an old BeOS executable, we
297 	// have to relocate it, if possible - we recognize it because the
298 	// vmstart is set to 0 (hopefully always)
299 	if (fixed && image->regions[i].vmstart == 0)
300 	fixed = false;
301 	
302 	uint32 regionAddressSpecifier;
303 	get_image_region_load_address(image, i,
304 	loadAddress - image->regions[i - 1].vmstart, fixed,
305 	loadAddress, regionAddressSpecifier);
306 	if (i == 0) {
307 	reservedAddress = loadAddress;
308 	addressSpecifier = regionAddressSpecifier;
309 	} 

Change History (3)

comment:1 Changed 9 years ago by bonefish

Version: R1/alpha2R1/Development

Yep, a check is missing in both instances. 0 can be supplied for the get_image_region_load_address() parameter instead -- it is ignored for index == 0 anyway.

comment:2 Changed 9 years ago by tqh

Owner: changed from bonefish to tqh
Status: newin-progress

comment:3 Changed 9 years ago by tqh

Resolution: fixed
Status: in-progressclosed

Fixed in hrev39974 and hrev39987. Also in newer Coverity runs it's CID 3197. So I hadn't even seen CID 1972.

Note: See TracTickets for help on using tickets.