Opened 13 years ago
Closed 13 years ago
#6990 closed bug (fixed)
[runtime_loader] possible out of bound array access
| Reported by: | korli | Owned by: | tqh |
|---|---|---|---|
| Priority: | normal | Milestone: | R1 |
| Component: | System/runtime_loader | Version: | R1/Development |
| Keywords: | Cc: | ||
| Blocked By: | Blocking: | ||
| Platform: | All |
Description
Beginning in hrev31115: http://svn.berlios.de/viewcvs/haiku/haiku/trunk/src/system/runtime_loader/images.cpp?r1=31113&r2=31115
in map_image(), when i is zero, an uninitialized loadAddress is used (CID 1972) and image->regions[i - 1] is accessed (i is unsigned).
295 for (uint32 i = 0; i < image->num_regions; i++) {
296 // for BeOS compatibility: if we load an old BeOS executable, we
297 // have to relocate it, if possible - we recognize it because the
298 // vmstart is set to 0 (hopefully always)
299 if (fixed && image->regions[i].vmstart == 0)
300 fixed = false;
301
302 uint32 regionAddressSpecifier;
303 get_image_region_load_address(image, i,
304 loadAddress - image->regions[i - 1].vmstart, fixed,
305 loadAddress, regionAddressSpecifier);
306 if (i == 0) {
307 reservedAddress = loadAddress;
308 addressSpecifier = regionAddressSpecifier;
309 }
Change History (3)
comment:1 by , 13 years ago
| Version: | R1/alpha2 → R1/Development |
|---|
comment:2 by , 13 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → in-progress |
comment:3 by , 13 years ago
| Resolution: | → fixed |
|---|---|
| Status: | in-progress → closed |
Note:
See TracTickets
for help on using tickets.
Yep, a check is missing in both instances. 0 can be supplied for the
get_image_region_load_address()parameter instead -- it is ignored forindex == 0anyway.