From 0a901880dc78f70d715f4a7855f6ce83fa1753c4 Mon Sep 17 00:00:00 2001 From: Mamoru TASAKA Date: Apr 15 2018 12:53:01 +0000 Subject: crumbler: fix color overvalue when accessing colors array --- diff --git a/xscreensaver-5.39-0002-crumbler-fix-color-overvalue-when-accessing-colors-a.patch b/xscreensaver-5.39-0002-crumbler-fix-color-overvalue-when-accessing-colors-a.patch new file mode 100644 index 0000000..94f0a37 --- /dev/null +++ b/xscreensaver-5.39-0002-crumbler-fix-color-overvalue-when-accessing-colors-a.patch @@ -0,0 +1,49 @@ +From 58f4a6f93b10d3ba65d9d62f128a30ffba2de72e Mon Sep 17 00:00:00 2001 +From: Mamoru TASAKA +Date: Sun, 15 Apr 2018 15:12:11 +0900 +Subject: [PATCH] crumbler: fix color overvalue when accessing colors array + +gcc8 -fsanitize=address detects the following error: + +==30292==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62900003b8b8 at pc 0x00000040b27a bp 0x7fff47820090 sp 0x7fff47820080 +READ of size 2 at 0x62900003b8b8 thread T0 + #0 0x40b279 in draw_chunk ../../../hacks/glx/crumbler.c:680 + #1 0x4129ac in draw_crumbler ../../../hacks/glx/crumbler.c:795 + #2 0x439a21 in xlockmore_draw ../../hacks/xlockmore.c:628 + #3 0x408dbe in run_screenhack_table ../../hacks/screenhack.c:586 + #4 0x408dbe in main ../../hacks/screenhack.c:967 + #5 0x7fa8ac7901ba in __libc_start_main ../csu/libc-start.c:308 + #6 0x40a4a9 in _start (/home/tasaka1/rpmbuild/fedora-specific/xscreensaver/master/xscreensaver-5.39/x86_64-pc-linux-gnu/hacks/glx/crumbler+0x40a4a9) + +0x62900003b8b8 is located 1720 bytes to the right of 16384-byte region [0x629000037200,0x62900003b200) +allocated by thread T0 here: + #0 0x7fa8b054de50 in calloc (/lib64/libasan.so.5+0xeee50) + #1 0x40fe98 in init_crumbler ../../../hacks/glx/crumbler.c:633 + #2 0x3f7fffffffffffff () + +SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../hacks/glx/crumbler.c:680 in draw_chunk + +Apparently at the line 680, c->color is oversized. I guess at the lines 367-368, parentheses are +incorrectly added: c2->color should have the value no more than bp->ncolors - 1. +--- + hacks/glx/crumbler.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/hacks/glx/crumbler.c b/hacks/glx/crumbler.c +index cf21a94..f9a908a 100644 +--- a/hacks/glx/crumbler.c ++++ b/hacks/glx/crumbler.c +@@ -364,8 +364,8 @@ split_chunk (ModeInfo *mi, chunk *c, int nchunks) + chunks[i] = c2; + chunks[i]->nverts = 0; + c2->verts = (qh_vertex_t *) calloc (c->nverts, sizeof(*c2->verts)); +- c2->color = (c->color + (random() % (1 + (bp->ncolors / 3))) +- % bp->ncolors); ++ c2->color = (c->color + (random() % (1 + (bp->ncolors / 3)))) ++ % bp->ncolors; + } + + /* Add the verts to the approprate chunks +-- +2.17.0 + diff --git a/xscreensaver.spec b/xscreensaver.spec index bb00853..3f972e7 100644 --- a/xscreensaver.spec +++ b/xscreensaver.spec @@ -10,7 +10,7 @@ %define split_getimage 1 %endif -%define fedora_rel 1 +%define fedora_rel 2 %global use_clang_as_cc 0 %global use_clang_analyze 0 @@ -87,6 +87,8 @@ Patch3604: xscreensaver-5.36-0004-init_crystal-kill-gcc7-Wint-in-bool-cont Patch3607: xscreensaver-5.36-0007-misc-kill-gcc-warn_unused_result-warnings.patch # driver/Makefile.in: fix path for font-retry.o Patch3901: xscreensaver-5.39-0001-driver-Makefile.in-fix-path-for-font-retry.o.patch +# crumbler: fix color overvalue when accessing colors array +Patch3902: xscreensaver-5.39-0002-crumbler-fix-color-overvalue-when-accessing-colors-a.patch # # Debugging patch # Not apply by default @@ -363,6 +365,7 @@ rm -f driver/XScreenSaver_ad.h %__cat %PATCH3604 | %__git am #%%__cat %PATCH3607 | %__git am %__cat %PATCH3901 | %__git am +%__cat %PATCH3902 | %__git am #%%__cat %PATCH13501 | %%__git am @@ -1048,6 +1051,9 @@ exit 0 %endif %changelog +* Sun Apr 15 2018 Mamoru TASAKA - 1:5.39-2 +- crumbler: fix color overvalue when accessing colors array + * Sun Apr 15 2018 Mamoru TASAKA - 1:5.39-1 - Update to 5.39