mifr/subsurface
1
0
Fork 0
mirror of https://github.com/subsurface/subsurface.git synced 2025-02-19 22:16:15 +00:00
Code Issues Projects Releases Packages Wiki Activity

equipment: sanitize 'tank_info' loop limits

Browse source 
In a number of places the global 'tank_info' array
is being iterated based on a 'tank_info[idx].name != NULL'
condition.

This is dangerous because if the user has added a lot of tanks,
such loops can reach 'tank_info[MAX_TANK_INFO]'. This is an
out of bounds read and if the 'name' pointer there happens to be
non-NULL, passing that address to a peace of code that tries
to read it (like strlen()) would either SIGSEGV or have undefined
behavior.

Clamp all loops that iterate 'tank_info' to MAX_TANK_INFO.

Signed-off-by: Lubomir I. Ivanov <neolit123@gmail.com>
This commit is contained in:
Lubomir I. Ivanov 2018-06-19 03:19:56 +03:00 committed by Dirk Hohndel
parent a5380bb741
commit 769aca9e95
3 changed files with 4 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

2
core/planner.c
View file

@ -209,7 +209,7 @@ void fill_default_cylinder(cylinder_t *cyl)
if (!cyl_name)
return;
while (ti->name != NULL) {
while (ti->name != NULL && ti < tank_info + MAX_TANK_INFO) {
if (strcmp(ti->name, cyl_name) == 0)
break;
ti++;