[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [MiNT] XaAES regression in ob_fix_shortcuts() (was: in launch())



On 18/11/2012 22:09, Vincent Rivière wrote:
I have noticed a regression in the current XaAES trunk.

After 10 days of hard work and small nights, I finally got it !!

Long story short:
The regression is actually in obtree.c, function ob_fix_shortcuts();
When loading TeraDesk, the shortcut buffer overflows because the number of keyboard shortcuts can be greater than the number of objects.

The following revisions of obtree.c are of interest, they increase the number of passes on the object list, while the buffer was not increased.
1.91.2.3
1.91.2.10
1.98

Basically, inside ob_fix_shortcuts() we have an "sc" buffer containing "struct sc" objects representing a keyboard shortcut.

We can see that the length is the number of objects.
len = ((long)objs + 1) * sizeof(struct sc)

Then later:
	/*
	 * 1. predefined shortcuts (>0!)
	 * 2. default,exit
	 * 3. touchexit
	 * 4. other
	 */
	for( k = 0; k < 4; k++ )

The object list is iterated 4 times. If some objects have multiple shortcuts, the buffer can overflow. And it does when loading TeraDesk resources.

*Also*
I noticed that ob_fix_shortcuts() was called from xa_pdlg.c, create_new_pdlg(). In that case, the buffer is allocated outside the function. It must absolutely be verified that the buffer is large enough, the actual size is quite mysterious (3 * (XPDLG_LAST + PDLG_LAST)).

By looking at the CVS history, it seems that potential trouble appeared with the first merge of Helmut's branch on 2010/06/02, then things got worse on 2011/02/28 with the fourth shortcut pass. I believe that the buffer overflow was hiding there since that era. So it was probably present in the first official FreeMiNT setup for the FireBee. And for some random reason, it becomes visible now.

Helmut, I let you fix the XaAES code now, since I'm not familiar with it and I don't understand everything.

Now I'm going to get some rest.

--
Vincent Rivière