Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
dt_iop_load_modules_so(): Prevent stack-buffer-overflow if IOP name i…
…s longer than 19 symbols We use char op[20]; to store iop names, and if somehow we end up with iop with long-enough name, we end up overflowing stack: ==23602==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff00816974 at pc 0x7fdcbfbce3f2 bp 0x7fff00816810 sp 0x7fff00816808 WRITE of size 1 at 0x7fff00816974 thread T0 #0 0x7fdcbfbce3f1 in dt_iop_load_modules_so /home/lebedevri/darktable/src/develop/imageop.c:1214 #1 0x7fdcbfb00229 in dt_init /home/lebedevri/darktable/src/common/darktable.c:873 #2 0x400b9f in main /home/lebedevri/darktable/src/main.c:24 #3 0x7fdcb80b1b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44) #4 0x400c22 (/usr/local/bin/darktable+0x400c22) Address 0x7fff00816974 is located in stack of thread T0 at offset 180 in frame #0 0x7fdcbfbcc92f in dt_iop_load_modules_so /home/lebedevri/darktable/src/develop/imageop.c:1196 This frame has 5 object(s): [32, 40) 'stmt' [96, 104) 'stmt' [160, 180) 'op' <== Memory access at offset 180 overflows this variable [224, 1248) 'path' [1280, 5376) 'plugindir' SUMMARY: AddressSanitizer: stack-buffer-overflow /home/lebedevri/darktable/src/develop/imageop.c:1214 dt_iop_load_modules_so ... ==23602==ABORTING Now, if we encounter such an iop (e.g. libexposure123456789012.so), we will simply fail to load it: [iop_load_module] failed to open operation `exposure12345678901': /usr/local/lib/darktable/plugins/libexposure12345678901.so: cannot open shared object file: No such file or directory While there, also add check to the CMake add_iop() macro to prevent adding such iops.
- Loading branch information