Bug 759840 – orcprogram-c: Varnames bounds seem broken

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 759840 - orcprogram-c: Varnames bounds seem broken


Summary:	orcprogram-c: Varnames bounds seem broken


Status:	RESOLVED OBSOLETE

Product:	GStreamer
Classification:	Platform
Component:	orc
Version:	git master
Hardware:	Other Linux

Importance:	Normal critical
Target Milestone:	git master
Assigned To:	GStreamer Maintainers
QA Contact:	GStreamer Maintainers

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2015-12-24 10:01 UTC by Sebastian Dröge (slomo)
Modified:	2018-01-15 10:32 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
avoid reading varnames[] out of bounds (838 bytes, patch) 2016-02-17 15:13 UTC, Luis de Bethencourt	reviewed	Details \| Review

Description Sebastian Dröge (slomo) 2015-12-24 10:01:53 UTC

The following commit seems broken as the variables arrays are ORC_N_COMPILER_VARIABLES but the varnames arrays are smaller. This might break something.

Of course the old code was also broken probably, or at least misleading. But this change might introduce regressions because fewer variables are possible.

commit 951091788b8496868bf86b2f853f5214659e782a
Author: Luis de Bethencourt <luisbg@osg.samsung.com>
Date:   Mon Dec 14 13:46:52 2015 +0000

    orcprogram-c: avoid running out of bounds of varnames
    
    These two for loops use varnames[i], since varname has 48 items avoid
    running out of bounds by running the for loop up to that limit.
    
    CID 1147004

Comment 1 Sebastian Dröge (slomo) 2016-02-16 11:35:50 UTC

Luis, any news here?

Comment 2 Tim-Philipp Müller 2016-02-16 11:41:20 UTC

I think we should revert to be on the safe side for now so we can make a release. Then we can re-visit this later.

Comment 3 Luis de Bethencourt 2016-02-17 15:09:27 UTC

After considering this a bit more and reading the code again I agree with Tim.

commit 45ef23c09a7147039b9a1109c26ad431228e3114
Author: Luis de Bethencourt <luisbg@osg.samsung.com>
Date:   Wed Feb 17 15:05:49 2016 +0000

    Revert "orcprogram-c: avoid running out of bounds of varnames"

    This reverts commit 951091788b8496868bf86b2f853f5214659e782a.

    This isn't a proper fix and the risk of bringing in a regression is too
    high for the small and incomplete improvement.

Comment 4 Luis de Bethencourt 2016-02-17 15:13:05 UTC

Created attachment 321503 [details] [review]
avoid reading varnames[] out of bounds

Protect towards the unlikely (yet still possible) out of bounds reading of varnames[] when get_varname_stride() gets called from a var higher than 48.

Comment 5 Sebastian Dröge (slomo) 2016-02-17 15:36:01 UTC

Comment on attachment 321503 [details] [review]
avoid reading varnames[] out of bounds

And does this work then for >= 48? Probably not, in which case an assertion might be nicer for now?

Comment 6 Luis de Bethencourt 2016-02-17 15:59:02 UTC

Switched to using an assertion. Thanks for the feedback :)

commit fe2ac0c1d066a37809e2169a9f591dbc8f09707f
Author: Luis de Bethencourt <luisbg@osg.samsung.com>
Date:   Mon Dec 14 16:20:18 2015 +0000

    orcprogram-c: check array bound in get_varname_stride()

    https://bugzilla.gnome.org/show_bug.cgi?id=759840

Comment 7 Edward Hervey 2018-01-15 10:32:04 UTC

orc is coverity-clean now. Closing.