Re: [hatari-devel] Big bug in the SDL UI

[ Thread Index | Date Index | More lists.tuxfamily.org/hatari-devel Archives ]


Le 28/06/2015 23:47, Eero Tamminen a écrit :
Hi,

On maanantai 29 kesäkuu 2015, Nicolas Pomarède wrote:
Le 28/06/2015 22:16, Eero Tamminen a écrit :
Invalid accesses don't happen because SDLGui_DoDialog() return value
is used in calling code as comparison value (mainly as switch() value),
not as-is for indexing an array.

No, the problem in SDLGui_DoDialog() was a bad indexing :

dlg[current_object].type

When dlg refer to the "do you want to reset" dialog, then dlg is in fact
alertdlg and it only has 8 member in the array, so refering to dlg[ 16
].type is an indexing error, not a switch problem.

Ah, the problem wasn't the SDLGui_DoDialog() return value, but
indexing done inside it.

Address Sanitizer documentation doesn't tell how it tracks
global arrays, but at least for stack and heap values it
just adds "canaries" on both sides of the array.  If index
is too much off, that access isn't caught.

More importantly, it needs to know what exact array is accessed,
otherwise it cannot check whether there was some issue
in using it.  I think that happens in caller as caller is
in another object and SDLGui_DoDialog() gets just array pointer
and only caller knows where the array ends.

(When you get just a pointer, it might be pointing anywhere
in the array, start, middle, end...).


Yes, I also think that it's not smart enough to replace dlg with alertdlg in that case and check the corresponding boundaries (I made some tests where array is the same name/pointer as in the declaration, and they are correctly reported)




Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/