[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [MiNT] XaAES regression in ob_fix_shortcuts() (was: in launch())



Vincent Rivière, 26.11.2012 22:25:28:

On 18/11/2012 22:09, Vincent Rivière wrote:
I have noticed a regression in the current XaAES trunk.

After 10 days of hard work and small nights, I finally got it !!

Congratulations!

The object list is iterated 4 times. If some objects have multiple

These passes are there to set priorities, not to have more shortcuts.

shortcuts, the buffer can overflow. And it does when loading TeraDesk resources.

An object should have max. one shortcut.

*Also*
I noticed that ob_fix_shortcuts() was called from xa_pdlg.c, create_new_pdlg(). In that case, the buffer is allocated outside the function. It must absolutely be verified that the buffer is large enough, the actual size is quite mysterious (3 * (XPDLG_LAST + PDLG_LAST)).

I agree, this is risky, has to be improved.

By looking at the CVS history, it seems that potential trouble appeared with the first merge of Helmut's branch on 2010/06/02, then things got worse on 2011/02/28 with the fourth shortcut pass. I believe that the buffer overflow was hiding there since that era. So it was probably present in the first official FreeMiNT setup for the FireBee. And for some random reason, it becomes visible now.

Helmut, I let you fix the XaAES code now, since I'm not familiar with it and I don't understand everything.

Try if this patch fixes the issue:

@@ -2311,7 +2313,7 @@
        flag = OF_TOUCHEXIT;
      break;
      case 3:
-       flag2 = flag;
+       flag2 |= flag;
        flag = OF_SELECTABLE;
      break;

I hope it doesn't affect the function.

Now I'm going to get some rest.

Good night :-)

--
Helmut Karlowski