runtime_loader: fix crash because of missing initialization

The "versions" table is populated from two sources: the elf
"needed_version" and "version_definitions" tables. Both populate
specific index in the version table. Each index has an hash, and one or
two strings.

The algorithm to find data in this table is to compare by hash, and then
do an strcmp on the strings when the hash matches.

However, nothing guarantees that all the indices in the version array
will be used. Indeed, libavutil does not use the first two. These were
left uninitialized.

It could happen that one of these would accidentally have its hash equal
to one of the actual hashes we need to lookup, and invalid string
pointers. This would of course lead to a crash. This was reproductible
easily with WebKit when loading the fmpeg add-on. I guess that hit just
the right allocation/deallocation pattern to make the runtime_loader
reuse memory from a block where it had previously stored the same hash.

Anyway, just clear the whole version table after allocating, so that
unused entries have an hash of 0 and NULL string pointers, this way they
can't accidentally trigger a hash collision and crash everything.
This commit is contained in:
Adrien Destugues 2019-12-07 15:55:56 +01:00
parent 2a49e094a6
commit 16fca25e27

View File

@ -106,12 +106,14 @@ init_image_version_infos(image_t* image)
return B_OK;
// allocate the version infos
size_t size = sizeof(elf_version_info) * (maxIndex + 1);
image->versions
= (elf_version_info*)malloc(sizeof(elf_version_info) * (maxIndex + 1));
= (elf_version_info*)malloc(size);
if (image->versions == NULL) {
FATAL("Memory shortage in init_image_version_infos()");
return B_NO_MEMORY;
}
memset(image->versions, 0, size);
image->num_versions = maxIndex + 1;
// init the version infos