Skip to content

Commit

Permalink
Fix regions array buffer overflow in egs++ viewer
Browse files Browse the repository at this point in the history
After compiling egs_view with asan support, there was a buffer overflow
error traced back to the memcpy call in ImageWindow::paintEvent.

ERROR: AddressSanitizer: dynamic-stack-buffer-overflow ...
READ of size 400 at 0x7ffe71889e40 thread T0
    #0 0x7f543595ecdf  (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x99cdf)
    nrc-cnrc#1 0x55dc3acdbb15 in memcpy
    nrc-cnrc#2 0x55dc3acdbb15 in ImageWindow::paintEvent(QPaintEvent*)
    nrc-cnrc#3 0x7f5434f86047 in QWidget::event(QEvent*)

The issue is that memcpy will always copy sizeof(lastRegions) bytes into
the array regions. But before this change, regions could be shorter than
lastRegions, leading to a buffer overflow. After this change, maxreg is
always set to N_REG_MAX, the length of lastRegions.
  • Loading branch information
mxxo authored and ftessier committed Jun 27, 2022
1 parent a6fc389 commit c71de66
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion HEN_HOUSE/egs++/view/image_window.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -335,7 +335,7 @@ void ImageWindow::paintEvent(QPaintEvent *) {
yscreen = -(xyMouse.y()-h/2)*yscale/h;
EGS_Vector xp(q.screen_xo + q.screen_v2*yscreen + q.screen_v1*xscreen);

int maxreg=min(int((h-145)/15),N_REG_MAX);
int maxreg = N_REG_MAX;
int regions[maxreg];
EGS_Vector colors[N_REG_MAX];
EGS_Vector hitCoord(0,0,0);
Expand Down

0 comments on commit c71de66

Please sign in to comment.