Re: [MiNT] [PATCH] XaAES regression in ob_fix_shortcuts()

[Vincent Rivière <vincent.riviere@freesbee.fr>]

On 27/11/2012 00:54, Helmut Karlowski wrote:
> An object should have max. one shortcut.

So the code in ob_fix_shortcuts() is buggy.

Definitely, when TeraDesk loads its resources, several shortcuts are 
affected to some objects.
The pass k=3 allocates shortcuts even for objects which got a shortcut in 
pass k=0 or k=1.

The first thing to do is to add an assert() to early detect a buffer 
overflow. This is easy and saves much trouble. See my assert() patch as 
attachment. It will always detect the overflow, whatever the platform is 
(not only FireTOS).

assert.patch
Detect buffer overflow in ob_fix_shortcuts(). Contributed by Vincent Riviere.

Please commit.

> > Try if this patch fixes the issue:
>
> Attached an improved version.

Thanks, your patch fixes the problem :-)
Please commit.

BTW, the fact that the last parameter of ob_fix_shortcuts() is a double 
pointer (void **scp) is strange. This allows to return the internally 
allocated buffer to the outside, but this functionality does not seem to be 
used.

IMHO, a simple pointer and the actual array length (void *scp, long scplen) 
would be much better. So the assert() will check the buffer overflow against 
the real buffer size, whenever the buffer is allocated internally or externally.

Helmut, I let you commit the patches and do any additional work, if you like.

--
Vincent Rivière

--- freemint.orig/xaaes/src.km/obtree.c	2012-06-08 21:14:23.250000000 +0200
+++ freemint/xaaes/src.km/obtree.c	2012-11-27 20:10:19.852100300 +0100
@@ -2373,6 +2373,7 @@
 										else
 											scuts++;
 									}
+									assert((char*)scuts < ((char*)sc) + len); /* check for buffer overflow */
 									if (!scuts->c )
 									{
 										scuts->c = nk;