Buffer overflow in get_icon_name_sortkey()
On startup, with asan:
=================================================================
==80490==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000004e1e72 at pc 0x000000458db5 bp 0x7ffc22a78400 sp 0x7ffc22a783f0
READ of size 1 at 0x0000004e1e72 thread T0
#0 0x458db4 in get_icon_name_sortkey ../../../../Projects/gnome-calendar/src/weather/gcal-weather-service.c:314
#1 0x459825 in compute_weather_info_data ../../../../Projects/gnome-calendar/src/weather/gcal-weather-service.c:434
#2 0x45a6e6 in preprocess_gweather_reports ../../../../Projects/gnome-calendar/src/weather/gcal-weather-service.c:634
#3 0x45b548 in update_weather ../../../../Projects/gnome-calendar/src/weather/gcal-weather-service.c:864
#4 0x45afad in on_gweather_update_cb ../../../../Projects/gnome-calendar/src/weather/gcal-weather-service.c:756
#5 0x7f585146d488 in g_cclosure_marshal_VOID__VOID ../../../../Projects/glib/gobject/gmarshal.c:117
#6 0x7f585146a0ea in g_closure_invoke ../../../../Projects/glib/gobject/gclosure.c:810
#7 0x7f5851487ce9 in signal_emit_unlocked_R ../../../../Projects/glib/gobject/gsignal.c:3641
#8 0x7f5851486ff2 in g_signal_emit_valist ../../../../Projects/glib/gobject/gsignal.c:3397
#9 0x7f5851487575 in g_signal_emit ../../../../Projects/glib/gobject/gsignal.c:3453
#10 0x7f58517320c1 in soup_session_process_queue_item ../../../../Projects/libsoup/libsoup/soup-session.c:2042
#11 0x7f5851732246 in async_run_queue ../../../../Projects/libsoup/libsoup/soup-session.c:2082
#12 0x7f58517322f8 in idle_run_queue ../../../../Projects/libsoup/libsoup/soup-session.c:2109
#13 0x7f5851373d02 in g_idle_dispatch ../../../../Projects/glib/glib/gmain.c:5612
#14 0x7f585137119c in g_main_dispatch ../../../../Projects/glib/glib/gmain.c:3176
#15 0x7f5851371ff9 in g_main_context_dispatch ../../../../Projects/glib/glib/gmain.c:3841
#16 0x7f58513721dd in g_main_context_iterate ../../../../Projects/glib/glib/gmain.c:3914
#17 0x7f58513722a1 in g_main_context_iteration ../../../../Projects/glib/glib/gmain.c:3975
#18 0x7f58515be07a in g_application_run ../../../../Projects/glib/gio/gapplication.c:2554
#19 0x42301d in main ../../../../Projects/gnome-calendar/src/main.c:40
#20 0x7f5850e3ff32 in __libc_start_main (/lib64/libc.so.6+0x23f32)
#21 0x41f2bd in _start (/home/mcatanzaro/Projects/GNOME/install/bin/gnome-calendar+0x41f2bd)
0x0000004e1e72 is located 46 bytes to the left of global variable '*.LC10' defined in '../../../../Projects/gnome-calendar/src/weather/gcal-weather-service.c' (0x4e1ea0) of size 19
'*.LC10' is ascii string 'weather-few-clouds'
0x0000004e1e72 is located 4 bytes to the right of global variable '*.LC9' defined in '../../../../Projects/gnome-calendar/src/weather/gcal-weather-service.c' (0x4e1e60) of size 14
'*.LC9' is ascii string 'weather-clear'
SUMMARY: AddressSanitizer: global-buffer-overflow ../../../../Projects/gnome-calendar/src/weather/gcal-weather-service.c:314 in get_icon_name_sortkey
Shadow bytes around the buggy address:
0x000080094370: 02 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x000080094380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000080094390: 00 00 03 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x0000800943a0: 00 03 f9 f9 f9 f9 f9 f9 00 00 05 f9 f9 f9 f9 f9
0x0000800943b0: 00 00 00 00 00 00 00 00 00 02 f9 f9 f9 f9 f9 f9
=>0x0000800943c0: 07 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 06[f9]f9
0x0000800943d0: f9 f9 f9 f9 00 00 03 f9 f9 f9 f9 f9 00 00 01 f9
0x0000800943e0: f9 f9 f9 f9 00 04 f9 f9 f9 f9 f9 f9 00 00 00 02
0x0000800943f0: f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9 00 05 f9 f9
0x000080094400: f9 f9 f9 f9 00 06 f9 f9 f9 f9 f9 f9 00 00 05 f9
0x000080094410: f9 f9 f9 f9 00 00 02 f9 f9 f9 f9 f9 00 00 00 04
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==80490==ABORTING
Problem is here:
for (i = 0; i < G_N_ELEMENTS (icons); i++)
{
if (icons[i].name[normalized_name_len] == '\0' && strncmp (icon_name, icons[i].name, normalized_name_len) == 0)
{
*supports_night_icon = icons[i].night_support;
return i;
}
}
We have:
- icon_name="weather-few-clouds-night"
- normalized_name_len=18 (length of "weather-few-clouds")
- i=0
- icons[0].name="weather-clear"
- strlen(icons[0].name)=strlen("weather-clear")=13
So then we have, on the first iteration of the loop: icons[i].name[normalized_name_len] == '\0'
which is icons[0].name[18] == '\0'
which is "weather-clear"[18] == '\0'
. Disaster.
Edited by Michael Catanzaro