[vlc-commits] [Git][videolan/vlc][master] 2 commits: core: fix incorrect use of ssize_t

Romain Vimont (@rom1v) gitlab at videolan.org
Tue Jan 4 15:51:43 UTC 2022 


Romain Vimont pushed to branch master at VideoLAN / VLC


Commits:
55995aa4 by Romain Vimont at 2022-01-04T15:06:45+00:00
core: fix incorrect use of ssize_t

The type ssize_t may contain either a non-negative integer or -1. It is
only guaranteed to support values in range [-1, SSIZE_MAX], so it should
not contain arbitrary negative values.

- - - - -
52ef980f by Romain Vimont at 2022-01-04T15:06:45+00:00
core: fix jaro-winkler heap-buffer-overflow

The implementation could read beyond the b string.

Reported by ASAN:

    $ ./vlc --opaaaaaaa
    …
    Error: Unknown option `--opaaaaaaa'
    =================================================================
    ==522294==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000022655 at pc 0x7f8b1793d73d bp 0x7ffe311de800 sp 0x7ffe311de7f8
    READ of size 1 at 0x602000022655 thread T0
        #0 0x7f8b1793d73c in jaro_inner ../../src/config/jaro_winkler.c:111
        #1 0x7f8b1793db7a in vlc_jaro_winkler ../../src/config/jaro_winkler.c:159

- - - - -


1 changed file:

- src/config/jaro_winkler.c


Changes:

=====================================
src/config/jaro_winkler.c
=====================================
@@ -71,7 +71,8 @@ static inline int jaro_inner(const char *a, const char *b, size_t *ret_prefix_cc
     *ret_prefix_cc = prefix_char_count;
 
     size_t a_numchars = strlen(a_suffix) + prefix_char_count;
-    size_t b_numchars = strlen(b_suffix) + prefix_char_count;
+    size_t b_suffix_len = strlen(b_suffix);
+    size_t b_numchars = b_suffix_len + prefix_char_count;
 
     // The check for lengths of one here is to prevent integer overflow when
     // calculating the search range.
@@ -98,8 +99,7 @@ static inline int jaro_inner(const char *a, const char *b, size_t *ret_prefix_cc
 
     const char *a_char = a_suffix;
     for (size_t i = 0; *a_char; i++) {
-        ssize_t tmp = (ssize_t)i - (ssize_t)search_range;
-        size_t bound_start = (tmp >= 0) ? tmp : 0;
+        size_t bound_start = i > search_range ? i - search_range : 0;
         size_t bound_end = MIN(b_numchars, i + search_range + 1);
 
         if (bound_start >= bound_end) {
@@ -107,6 +107,11 @@ static inline int jaro_inner(const char *a, const char *b, size_t *ret_prefix_cc
             continue;
         }
 
+        if (bound_start > b_suffix_len) {
+            // end of b string
+            break;
+        }
+
         const char *b_char = b_suffix + bound_start;
         for (size_t j = bound_start; *b_char && j < bound_end; j++) {
             if (*a_char == *b_char && !b_consumed[j]) {



View it on GitLab: https://code.videolan.org/videolan/vlc/-/compare/f1603b6994de7b4166662834ce3050eebc82de52...52ef980fb2ad9ca45f2db7d114a3e957457612bb

-- 
View it on GitLab: https://code.videolan.org/videolan/vlc/-/compare/f1603b6994de7b4166662834ce3050eebc82de52...52ef980fb2ad9ca45f2db7d114a3e957457612bb
You're receiving this email because of your account on code.videolan.org.

More information about the vlc-commits mailing list