mifr/subsurface
1
0
Fork 0
mirror of https://github.com/subsurface/subsurface.git synced 2025-02-19 22:16:15 +00:00
Code Issues Projects Releases Packages Wiki Activity

equipment: sanitize 'tank_info' loop limits

Browse source 
In a number of places the global 'tank_info' array
is being iterated based on a 'tank_info[idx].name != NULL'
condition.

This is dangerous because if the user has added a lot of tanks,
such loops can reach 'tank_info[MAX_TANK_INFO]'. This is an
out of bounds read and if the 'name' pointer there happens to be
non-NULL, passing that address to a peace of code that tries
to read it (like strlen()) would either SIGSEGV or have undefined
behavior.

Clamp all loops that iterate 'tank_info' to MAX_TANK_INFO.

Signed-off-by: Lubomir I. Ivanov <neolit123@gmail.com>
This commit is contained in:
Lubomir I. Ivanov 2018-06-19 03:19:56 +03:00 committed by Dirk Hohndel
parent a5380bb741
commit 769aca9e95
3 changed files with 4 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

5
qt-models/tankinfomodel.cpp
View file

@ -91,7 +91,7 @@ TankInfoModel::TankInfoModel() : rows(-1)
{
setHeaderDataStrings(QStringList() << tr("Description") << tr("ml") << tr("bar"));
struct tank_info_t *info = tank_info;
for (info = tank_info; info->name; info++, rows++) {
for (info = tank_info; info->name && info < tank_info + MAX_TANK_INFO; info++, rows++) {
QString infoName = gettextFromC::tr(info->name);
if (infoName.count() > biggerEntry.count())
biggerEntry = infoName;
@ -111,8 +111,7 @@ void TankInfoModel::update()
rows = -1;
}
struct tank_info_t *info = tank_info;
for (info = tank_info; info->name; info++, rows++)
;
for (info = tank_info; info->name && info < tank_info + MAX_TANK_INFO; info++, rows++);
if (rows > -1) {
beginInsertRows(QModelIndex(), 0, rows);