[hatari-devel] Buffer overflow in Paths_Init()

[ Thread Index | Date Index | More lists.tuxfamily.org/hatari-devel Archives ]


for quite some time I have been puzzled why Hatari (snapshot builds for
Windows from antarctica.no) sometimes worked and sometimes crashed with
an HEAP_CORRUPTION error directly after start. Today, I finally figured
out that it works if I start it from the Windows command line with an
absolute path to the executable, but crashes if I start it with just a
relative path to the executable.

With that knowledge and a debugger I found the reason: a buffer overflow
in Paths_Init(). When started from cmd.exe giving a relative path to the
executable, psExecDir [1] will also only contain a relative path. Notice
how in [2] only just enough memory is allocated for sDataDir to hold
psExecDir, the path separator ("\" under Windows) and BIN2DATADIR, which
is "." for the Windows build.

However, File_MakeAbsoluteName, called from [3], will in the end write
back the full, absolute filename into that buffer [4], thereby
overflowing it. Since Windows 10 has very good checkers for heap
corruption (e.g. by buffer overflow), it then almost immediately
terminates the offending process.

Solution: Always allocate a sufficiently sized buffer (FILENAME_MAX+1?)
for sDataDir.


Christian Zietz  -  CHZ-Soft  -  czietz@xxxxxxx
WWW: http://www.chzsoft.de/
PGP/GnuPG-Key-ID: 0x52CB97F66DA025CA / 0x6DA025CA

Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/