[patch] fix stack corruption in vim/src/gui_riscos.c

Thu, 02 Dec 2010 13:54:10 -0800 

Hi

Running cppcheck static analyzer on vim/src/gui_riscos.c gives
the following warnings:

$ cppcheck gui_riscos.c
Checking gui_riscos.c...
[gui_riscos.c:1764] -> [gui_riscos.c:2291]: (error) Array
'front_block[10]' index 20 out of bounds
[gui_riscos.c:1764] -> [gui_riscos.c:2293]: (error) Array
'front_block[10]' index 28 out of bounds

gui_riscos.c:

  1757     if (button & 0x444)
  1758     {
!!1759         int     front_block[10];
  1760         /* Dragging with Select - bring window to front first */
  1761         front_block[0] = gui.window_handle;
  1762         swi(Wimp_GetWindowState, 0, front_block);
  1763         front_block[7] = -1;
!!1764         ro_open_main(front_block);
  1765     }

  ....
  2284     void
  2285 ro_open_main(block)
  2286     int     *block;
  2287 {
  2288     int     toggle_size;
  2289
  2290     /* Find out if the user clicked on the toggle size icon. */
!!2291     block[20] = block[0];
  2292     swi(Wimp_GetWindowState, 0, block + 20);
  2293     toggle_size = block[28] & (1 << 19);

ro_open_main() is called at line 1764 with buffer 'front_block'
which is 10-int large.  But the first thing that ro_open_main() does
is setting block[20] which is thus corrupting the stack.

Attached patch fixes it by making front_block size 64 int instead
of 10 int (just as other places where ro_open_main() is called).

ro_open_main() and other functions could also be static since
they are only used within gui_riscos.c but I leave that as it is
since I don't have riscos to verify.

Regards
-- Dominique

-- 
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

diff -r d94c32250814 src/gui_riscos.c
--- a/src/gui_riscos.c	Thu Dec 02 21:44:40 2010 +0100
+++ b/src/gui_riscos.c	Thu Dec 02 22:50:20 2010 +0100
@@ -1756,7 +1756,7 @@
 
 	if (button & 0x444)
 	{
-	    int	    front_block[10];
+	    int	    front_block[64];
 	    /* Dragging with Select - bring window to front first */
 	    front_block[0] = gui.window_handle;
 	    swi(Wimp_GetWindowState, 0, front_block);
@@ -1874,7 +1874,7 @@
 
     if (ro_dragging == DRAG_RESIZE_WINDOW)
     {
-	/* Resizeing the main window. */
+	/* Resizing the main window. */
 	block[2] = y;
 	block[3] = x;
 	ro_open_main(block);
@@ -2651,7 +2651,7 @@
     long_u	length;
 
     block[0] = 48;			/* Size of block. */
-    block[3] = 0;			/* Orinial message. */
+    block[3] = 0;			/* Original message. */
     block[4] = 0x10;			/* Data request. */
     block[5] = gui.window_handle;
     block[6] = RO_LOAD_CLIPBOARD;	/* Internal handle. */

Raspunde prin e-mail lui