Type: Bug
Severity: medium
Component: VirtualBox OSE
Host: Ubuntu 64
In file src/libs/xpcom18a4/xpcom/typelib/xpidl/xpidl_typelib.c:
#417 annotation_len = strlen(annotation_format) +
strlen(state->basename) +
418 strlen(timestr);
419 for (i = 0; i < HEADER(state)->num_interfaces; i++) {
[...]
425 }
426
!427 annotate_val = (char *) malloc(annotation_len);
In line 417 the size of annotation_len is calculated and later (line 427) used
to allocate memory for a string, but there is not enough memory reserved for
the terminating 0 character.
In line 418 there should be a "+ 1" added to the calculation.
In file out/linux.amd64/debug/obj/VBoxOGLgen/state_current_gen.c (creation
source unknown):
1789 if (v != NULL) {
!1790 COPY_4V(c->vertexAttrib[VERT_ATTRIB_TEX0 + i],
texCoord_default);
!1791 convert(&(c->vertexAttrib[VERT_ATTRIB_TEX0 +
i][0]), v);
!1792 DIRTY(cb->vertexAttrib[VERT_ATTRIB_TEX0 + i],
nbitID);
1793 DIRTY(cb->dirty, nbitID);
1794 }
with i defined as
1706 for (i = 0 ; i < CR_MAX_TEXTURE_UNITS ; i++)
will cause the array CRCurrentState->vertexAttrib of size 16 to exceed the
array bounds with index VERT_ATTRIB_TEX0 + i, as VERT_ATTRIB_TEX0 is 8 and
CR_MAX_TEXTURE_UNITS is 16, causing i to loop from 0 to 15.
_______________________________________________
vbox-dev mailing list
[email protected]
http://vbox.innotek.de/mailman/listinfo/vbox-dev
