[Qemu-devel] [PATCH] qemu-char: Fix potential out of bounds access to local arrays

[Qemu-devel] [PATCH] qemu-char: Fix potential out of bounds access to local arrays

[Stefan Weil]

Latest gcc-4.8 supports a new option -fsanitize=address which activates
an AddressSanitizer. This AddressSanitizer stops the QEMU system emulation
very early because two character arrays of size 8 are potentially written
with 9 bytes.

Commit 6ea314d91439741e95772dfbab98b4135e04bebb added the code.

There is no obvious reason why width or height could need 8 characters,
so reduce it to 7 characters which together with the terminating '\0'
fit into the arrays.

Cc: qemu-stable <qemu-stable@nongnu.org>
Signed-off-by: Stefan Weil <sw@weilnetz.de>
---

This is not a critical error because only other local variables can be
overwritten with a null byte, but the fix is also very simple, so maybe
this is a candidate for qemu-stable (1.5 and 1.6?).

Regards,
Stefan

 qemu-char.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/qemu-char.c b/qemu-char.c
index f7f5464..6d393e6 100644
--- a/qemu-char.c
+++ b/qemu-char.c
@@ -2989,11 +2989,11 @@ QemuOpts *qemu_chr_parse_compat(const char *label, const char *filename)
     if (strstart(filename, "vc", &p)) {
         qemu_opt_set(opts, "backend", "vc");
         if (*p == ':') {
-            if (sscanf(p+1, "%8[0-9]x%8[0-9]", width, height) == 2) {
+            if (sscanf(p+1, "%7[0-9]x%7[0-9]", width, height) == 2) {
                 /* pixels */
                 qemu_opt_set(opts, "width", width);
                 qemu_opt_set(opts, "height", height);
-            } else if (sscanf(p+1, "%8[0-9]Cx%8[0-9]C", width, height) == 2) {
+            } else if (sscanf(p+1, "%7[0-9]Cx%7[0-9]C", width, height) == 2) {
                 /* chars */
                 qemu_opt_set(opts, "cols", width);
                 qemu_opt_set(opts, "rows", height);
-- 
1.7.10.4

Re: [Qemu-devel] [Qemu-trivial] [PATCH] qemu-char: Fix potential out of bounds access to local arrays

[Michael Tokarev]

01.10.2013 01:04, Stefan Weil wrote:
> Latest gcc-4.8 supports a new option -fsanitize=address which activates
> an AddressSanitizer. This AddressSanitizer stops the QEMU system emulation
> very early because two character arrays of size 8 are potentially written
> with 9 bytes.
>
> Commit 6ea314d91439741e95772dfbab98b4135e04bebb added the code.
>
> There is no obvious reason why width or height could need 8 characters,
> so reduce it to 7 characters which together with the terminating '\0'
> fit into the arrays.

A good one.

Thanks, applied to the trivial patches queue.

/mjt

Re: [Qemu-devel] [PATCH] qemu-char: Fix potential out of bounds accessto local arrayss

[Alex Bennée]

sw@weilnetz.de writes:

> Latest gcc-4.8 supports a new option -fsanitize=address which activates
> an AddressSanitizer. This AddressSanitizer stops the QEMU system emulation
> very early because two character arrays of size 8 are potentially written
> with 9 bytes.
>
> Commit 6ea314d91439741e95772dfbab98b4135e04bebb added the code.
>
> There is no obvious reason why width or height could need 8 characters,
> so reduce it to 7 characters which together with the terminating '\0'
> fit into the arrays.
>
> Cc: qemu-stable <qemu-stable@nongnu.org>
> Signed-off-by: Stefan Weil <sw@weilnetz.de>
<snip>

Reviewed-by: Alex Bennée <alex@bennee.com>

-- 
Alex Bennée