Prevent a file path buffer overrun (!306) · Merge requests · GrafX2 / grafX2

Jordan Christiansen requested to merge xordspar0/grafX2:buffer-overrun into master Dec 15, 2020

If a filename passed from the command line arguments is ever longer than the current working directory (and it usually is longer), strcpy will overrun the working directory buffer. This usually doesn't cause a crash right away, but it caused weird bugs for me, like an assertion failure in free() when trying to free the buffer later:

free(): invalid next size (fast)

Valgrind helped me track down the cause:

$ valgrind bin/grafx2-sdl ~/Projects/kind-of-longish-directory-name/file.gif

...

==116375== Invalid write of size 1
==116375==    at 0x483DDE6: strcpy (vg_replace_strmem.c:511)
==116375==    by 0x1265B2: Init_program (main.c:1104)
==116375==    by 0x12704F: main (main.c:1536)
==116375==  Address 0x5534a81 is 21 bytes after a block of size 28 alloc'd
==116375==    at 0x483CD7B: realloc (vg_replace_malloc.c:834)
==116375==    by 0x4E70F3F: getcwd (in /usr/lib/libc-2.32.so)
==116375==    by 0x17277E: Get_current_directory (io.c:1096)
==116375==    by 0x125B02: Init_program (main.c:655)
==116375==    by 0x12704F: main (main.c:1536)

Prevent a file path buffer overrun

Merge request reports