[sword-devel] Segfault in LZSS code

Troy A. Griffitts scribe at crosswire.org
Sun Feb 28 16:28:26 EST 2021


Yep, and I appreciate the report and the stack trace.  Your example
crashes on a strcpy, which fails because there is no terminating null in
the random data.  I changed that to a strncpy, to prevent the problem,
but the issue still persists because the size I am passing as the 'n' in
strncpy is also pulled from the random data, so it doesn't really help
much.  I will try to add a simple check to be sure size < block end -
src address, which should keep us from reading past the data buffer
end.  I'll commit something to make things a bit better.  I do
appreciate the report.

Troy


On 2/28/21 1:09 PM, Bastian Germann wrote:
> Am 28.02.21 um 17:32 schrieb Troy A. Griffitts:
>> The problem would be the same if ZIP was the default and you gave the
>> ZIP compression driver LZSS data files.
>
> I tried several combinations of wrong input for the other compression
> types after finding the bug and it turned out the others error, which
> is the right way to deal with unexpected input.
>
>> In summary, if you specify the wrong driver for the data files of
>> your module, you will get undefined behaviour.
>
> That is fine and reasonable. In my opinion any segfault is a bug. It
> is not very likely to happen for end users but during module
> developing you are not too unlikely to hit it. I reported it because I
> experienced that bug for the 2nd time actually.
> _______________________________________________
> sword-devel mailing list: sword-devel at crosswire.org
> http://crosswire.org/mailman/listinfo/sword-devel
> Instructions to unsubscribe/change your settings at above page


More information about the sword-devel mailing list