From 16fca25e2729715e03a2cec6c16cba530cf91908 Mon Sep 17 00:00:00 2001 From: Adrien Destugues Date: Sat, 7 Dec 2019 15:55:56 +0100 Subject: [PATCH] runtime_loader: fix crash because of missing initialization The "versions" table is populated from two sources: the elf "needed_version" and "version_definitions" tables. Both populate specific index in the version table. Each index has an hash, and one or two strings. The algorithm to find data in this table is to compare by hash, and then do an strcmp on the strings when the hash matches. However, nothing guarantees that all the indices in the version array will be used. Indeed, libavutil does not use the first two. These were left uninitialized. It could happen that one of these would accidentally have its hash equal to one of the actual hashes we need to lookup, and invalid string pointers. This would of course lead to a crash. This was reproductible easily with WebKit when loading the fmpeg add-on. I guess that hit just the right allocation/deallocation pattern to make the runtime_loader reuse memory from a block where it had previously stored the same hash. Anyway, just clear the whole version table after allocating, so that unused entries have an hash of 0 and NULL string pointers, this way they can't accidentally trigger a hash collision and crash everything. --- src/system/runtime_loader/elf_versioning.cpp | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/system/runtime_loader/elf_versioning.cpp b/src/system/runtime_loader/elf_versioning.cpp index 9785d1d9f3..46f095e0e3 100644 --- a/src/system/runtime_loader/elf_versioning.cpp +++ b/src/system/runtime_loader/elf_versioning.cpp @@ -106,12 +106,14 @@ init_image_version_infos(image_t* image) return B_OK; // allocate the version infos + size_t size = sizeof(elf_version_info) * (maxIndex + 1); image->versions - = (elf_version_info*)malloc(sizeof(elf_version_info) * (maxIndex + 1)); + = (elf_version_info*)malloc(size); if (image->versions == NULL) { FATAL("Memory shortage in init_image_version_infos()"); return B_NO_MEMORY; } + memset(image->versions, 0, size); image->num_versions = maxIndex + 1; // init the version infos