mirror of
https://github.com/subsurface/subsurface.git
synced 2025-02-19 22:16:15 +00:00
equipment: sanitize 'tank_info' loop limits
In a number of places the global 'tank_info' array is being iterated based on a 'tank_info[idx].name != NULL' condition. This is dangerous because if the user has added a lot of tanks, such loops can reach 'tank_info[MAX_TANK_INFO]'. This is an out of bounds read and if the 'name' pointer there happens to be non-NULL, passing that address to a peace of code that tries to read it (like strlen()) would either SIGSEGV or have undefined behavior. Clamp all loops that iterate 'tank_info' to MAX_TANK_INFO. Signed-off-by: Lubomir I. Ivanov <neolit123@gmail.com>
This commit is contained in:
Lubomir I. Ivanov
Dirk Hohndel
parent
a5380bb741
commit
769aca9e95
3 changed files with 4 additions and 5 deletions
|
|
@ -52,7 +52,7 @@ void PreferencesDefaults::refreshSettings()
|
|||
ui->localDefaultFile->setChecked(prefs.default_file_behavior == LOCAL_DEFAULT_FILE);
|
||||
|
||||
ui->default_cylinder->clear();
|
||||
for (int i = 0; tank_info[i].name != NULL; i++) {
|
||||
for (int i = 0; tank_info[i].name != NULL && i < MAX_TANK_INFO; i++) {
|
||||
ui->default_cylinder->addItem(tank_info[i].name);
|
||||
if (prefs.default_cylinder && strcmp(tank_info[i].name, prefs.default_cylinder) == 0)
|
||||
ui->default_cylinder->setCurrentIndex(i);
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue