| [hatari-devel] Buffer overflow in Paths_Init() |
[ Thread Index |
Date Index
| More lists.tuxfamily.org/hatari-devel Archives
]
- To: hatari-devel@xxxxxxxxxxxxxxxxxxx
- Subject: [hatari-devel] Buffer overflow in Paths_Init()
- From: Christian Zietz <czietz@xxxxxxx>
- Date: Thu, 17 Jan 2019 20:17:34 +0100
- Autocrypt: addr=czietz@xxxxxxx; prefer-encrypt=mutual; keydata= mQGiBDdn2AURBADksdHVyN55nv0lx4qGx+GQMrbo7zs7lSkAfhkgmgqp84xUeUiWI/kj1on/ wxkmJ96Yzt0ktDbZYM0C9Z66M3rLfXE1vXALHhegeMuOy/tVWybcohRrhfB7tmANTESJOZke 0lZZ59DcIfFoqLYErb6qX8nLPYnOv6sFubxnhuF9QQCg/3GaIR1sVK9Xq+b4B9BtVxd7cHMD /i2hAEOX3WY3K7PNZJziYF54uBbGiVS88W41l1RARcaeogIZcAKpFH3on+Tf60fAC85MCp17 QIeP44hj4Cf46B+UTVhf3EFG4IOsLRxUonpt7dKO8txsKFN/OFsjlPOuDyg7XMpEWkTWZetm HC9/0pcApIXSDnggde4T8AX6nn/+A/4hBOhPxuvkV7Uw/ebLYwXrLo2vt9OvvC1VfeywNseq PIkFX/+n/+niBS+Cb2ess2SVQNKJ9vP5+vBxg5AMfQXqk1ONldGQ/ARHmL6+Iuo47mO51e7R i691hq13wHUvyKh1AN7fpKI2m3YW55XEQ+3iTMIZcqfjr6xYgG8GJTppdbQgQ2hyaXN0aWFu IFppZXR6IDxjemlldHpAZ214Lm5ldD6IYwQQEQIAIwIZAQIeAQIXgAUCVGD5IgcLCQgHAwIB BhUIAgkKCwQWAgMBAAoJEFLLl/ZtoCXKubQAoIHNaurSMQB8MHDoTk3B7WHk2ApoAJ0egA8q aNoVj0kU4+OjeGzFiSHMOrkCDQQ3Z9gFEAgA9kJXtwh/CBdyorrWqULzBej5UxE5T7bxbrlL OCDaAadWoxTpj0BV89AHxstDqZSt90xkhkn4DIO9ZekX1KHTUPj1WV/cdlJPPT2N286Z4VeS Wc39uK50T8X8dryDxUcwYc58yWb/Ffm7/ZFexwGq01uejaClcjrUGvC/RgBYK+X0iP1YTknb zSC0neSRBzZrM2w4DUUdD3yIsxx8Wy2O9vPJI8BD8KVbGI2Ou1WMuF040zT9fBdXQ6MdGGze MyEstSr/POGxKUAYEY18hKcKctaGxAMZyAcpesqVDNmWn6vQClCbAkbTCD1mpF1Bn5x8vYlL IhkmuquiXsNV6TILOwACAgf+JhucyZDzOWGht9e0U71kC2bxIOr4iz+ADd3sxS62okrocHXp B9zYDhmJ74BFfC7xMd9bwWNj7YR0yiUdOzY27OcXcEkVmhVBW6AqxuRAKfmYMvvnyR5z5OP6 vg2YSzgOmooc5vequa5YIjLmFkuRlglLiEgdW9gPBFtirNqxOtAqSxEcRrblSn8JBEU51Ii6 SVVuo1nXOP11g8rVO4YvEED89pHT4jgLZu4th1N+mDumNZlqyUIxZ4tQyw3X2OWvEbKWGn2j h0ZywaomUTpVA+wiwxndawP40oowFYT8LNeLtfZyq6xPpQmT2DaNhP4gdy3qkDfnmXkc2zFM YukXo4g/AwUYN2fYBVLLl/ZtoCXKEQKA3QCfTJstYzXurbt9ZnoTU3SFQQmG0/wAoNX91nWM nsS7JOepPAzOUoke4AIi
- Openpgp: preference=signencrypt
Hello,
for quite some time I have been puzzled why Hatari (snapshot builds for
Windows from antarctica.no) sometimes worked and sometimes crashed with
an HEAP_CORRUPTION error directly after start. Today, I finally figured
out that it works if I start it from the Windows command line with an
absolute path to the executable, but crashes if I start it with just a
relative path to the executable.
With that knowledge and a debugger I found the reason: a buffer overflow
in Paths_Init(). When started from cmd.exe giving a relative path to the
executable, psExecDir [1] will also only contain a relative path. Notice
how in [2] only just enough memory is allocated for sDataDir to hold
psExecDir, the path separator ("\" under Windows) and BIN2DATADIR, which
is "." for the Windows build.
However, File_MakeAbsoluteName, called from [3], will in the end write
back the full, absolute filename into that buffer [4], thereby
overflowing it. Since Windows 10 has very good checkers for heap
corruption (e.g. by buffer overflow), it then almost immediately
terminates the offending process.
Solution: Always allocate a sufficiently sized buffer (FILENAME_MAX+1?)
for sDataDir.
Regards
Christian
[1]
<https://hg.tuxfamily.org/mercurialroot/hatari/hatari/file/eab3159faa2c/src/paths.c#l312>
[2]
<https://hg.tuxfamily.org/mercurialroot/hatari/hatari/file/eab3159faa2c/src/paths.c#l317>
[3]
<https://hg.tuxfamily.org/mercurialroot/hatari/hatari/file/eab3159faa2c/src/paths.c#l328>
[4]
<https://hg.tuxfamily.org/mercurialroot/hatari/hatari/file/eab3159faa2c/src/file.c#l825>
--
Christian Zietz - CHZ-Soft - czietz@xxxxxxx
WWW: http://www.chzsoft.de/
PGP/GnuPG-Key-ID: 0x52CB97F66DA025CA / 0x6DA025CA