[vbox-dev] Bug report (medium)

[TwoThe]

Type: Bug
Severity: medium
Component: VirtualBox OSE
Host: Ubuntu 64

In file src/libs/xpcom18a4/xpcom/typelib/xpidl/xpidl_typelib.c:

   #417       annotation_len = strlen(annotation_format) + strlen(state->basename) +
   418            strlen(timestr);
   419        for (i = 0; i < HEADER(state)->num_interfaces; i++) {
   [...]
   425        }
   426
   !427       annotate_val = (char *) malloc(annotation_len);

In line 417 the size of annotation_len is calculated and later (line 427) used to allocate memory for a string, but there is not enough memory reserved for the terminating 0 character.
In line 418 there should be a "+ 1" added to the calculation.


In file out/linux.amd64/debug/obj/VBoxOGLgen/state_current_gen.c (creation source unknown):

  1789                if (v != NULL) {
  !1790                       COPY_4V(c->vertexAttrib[VERT_ATTRIB_TEX0 + i], texCoord_default);
  !1791                       convert(&(c->vertexAttrib[VERT_ATTRIB_TEX0 + i][0]), v);
  !1792                       DIRTY(cb->vertexAttrib[VERT_ATTRIB_TEX0 + i], nbitID);
  1793                        DIRTY(cb->dirty, nbitID);
  1794                }

with i defined as
  1706        for (i = 0 ; i < CR_MAX_TEXTURE_UNITS ; i++)

will cause the array CRCurrentState->vertexAttrib of size 16 to exceed the array bounds with index VERT_ATTRIB_TEX0 + i, as VERT_ATTRIB_TEX0 is 8 and CR_MAX_TEXTURE_UNITS is 16, causing i to loop from 0 to 15.