From b2d88d5f47228913aa7e147cec3e789efd974436 Mon Sep 17 00:00:00 2001 From: Thomas Debesse Date: Wed, 23 Dec 2020 02:46:27 +0100 Subject: [PATCH] plugin/vfspk3: prevent buffer overflow/stack smashing This isssue: ``` netradiant/plugins/vfspk3/vfs.cpp:595:7: warning: array index 1024 is past the end of the array (which contains 1024 elements) [-Warray-bounds] tmppath[PATH_MAX] = '\0'; ^ ~~~~~~~~ netradiant/plugins/vfspk3/vfs.cpp:587:5: note: array 'tmppath' declared here char tmppath[PATH_MAX]; ^ netradiant/plugins/vfspk3/vfs.cpp:607:7: warning: array index 1024 is past the end of the array (which contains 1024 elements) [-Warray-bounds] tmppath[PATH_MAX] = '\0'; ^ ~~~~~~~~ netradiant/plugins/vfspk3/vfs.cpp:587:5: note: array 'tmppath' declared here char tmppath[PATH_MAX]; ``` is producing this (on macOS): ``` * thread #1, queue = 'com.apple.main-thread', stop reason = signal SIGABRT frame #0: 0x00007fff58f4f2c6 libsystem_kernel.dylib`__pthread_kill + 10 libsystem_kernel.dylib`__pthread_kill: -> 0x7fff58f4f2c6 <+10>: jae 0x7fff58f4f2d0 ; <+20> 0x7fff58f4f2c8 <+12>: movq %rax, %rdi 0x7fff58f4f2cb <+15>: jmp 0x7fff58f49457 ; cerror_nocancel 0x7fff58f4f2d0 <+20>: retq Target 0: (netradiant) stopped. (lldb) thread backtrace all * thread #1, queue = 'com.apple.main-thread', stop reason = signal SIGABRT * frame #0: 0x00007fff58f4f2c6 libsystem_kernel.dylib`__pthread_kill + 10 frame #1: 0x00007fff5900abf1 libsystem_pthread.dylib`pthread_kill + 284 frame #2: 0x00007fff58eb9745 libsystem_c.dylib`__abort + 144 frame #3: 0x00007fff58eb9ff3 libsystem_c.dylib`__stack_chk_fail + 205 frame #4: 0x000000010a8a7e59 libvfspk3.so`InitDirectory(char const*, Modules<_QERArchiveTable>&) + 7689 frame #5: 0x00000001000e0a57 netradiant`QE_InitVFS() + 1351 frame #6: 0x0000000100094673 netradiant`VFSModuleObserver::realise() + 19 frame #7: 0x000000010009478a netradiant`HomePathsModuleObserver::realise() + 58 frame #8: 0x000000010008906a netradiant`EnginePath_Realise() + 58 frame #9: 0x00000001000d3f5f netradiant`Radiant::Radiant() + 351 frame #10: 0x00000001000d15d1 netradiant`Radiant_Construct(ModuleServer&) + 353 frame #11: 0x000000010008a84a netradiant`Radiant_Initialise() + 42 frame #12: 0x0000000100088087 netradiant`main + 535 frame #13: 0x00007fff58e143d5 libdyld.dylib`start + 1 thread #2 frame #0: 0x00007fff58f4abfe libsystem_kernel.dylib`__workq_kernreturn + 10 frame #1: 0x00007fff59007636 libsystem_pthread.dylib`_pthread_wqthread + 458 frame #2: 0x00007fff590073fd libsystem_pthread.dylib`start_wqthread + 13 thread #3 frame #0: 0x00007fff58f4abfe libsystem_kernel.dylib`__workq_kernreturn + 10 frame #1: 0x00007fff59007636 libsystem_pthread.dylib`_pthread_wqthread + 458 frame #2: 0x00007fff590073fd libsystem_pthread.dylib`start_wqthread + 13 thread #4 frame #0: 0x00007fff58f4abfe libsystem_kernel.dylib`__workq_kernreturn + 10 frame #&1: 0x00007fff590076e6 libsystem_pthread.dylib`_pthread_wqthread + 634 frame #2: 0x00007fff590073fd libsystem_pthread.dylib`start_wqthread + 13 ``` --- plugins/vfspk3/vfs.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/vfspk3/vfs.cpp b/plugins/vfspk3/vfs.cpp index ded3d048..44c2ebb5 100644 --- a/plugins/vfspk3/vfs.cpp +++ b/plugins/vfspk3/vfs.cpp @@ -562,7 +562,7 @@ void InitDirectory( const char* directory, ArchiveModules& archiveModules ){ } const char *ext = strrchr( name, '.' ); - char tmppath[PATH_MAX]; + char tmppath[PATH_MAX + 1]; if ( ext != nullptr ) { if ( is_dpk_vfs && !string_compare_nocase_upper( ext, ".dpkdir" ) ) { -- 2.39.2