Parameter parsing in gst-tool.c can cause out of bounds reads
By Hanno Böck - Posted on February 4th, 2016
Project: | GNU Smalltalk |
Component: | Build |
Category: | bug |
Priority: | normal |
Assigned: | Unassigned |
Status: | active |
Description
In gst-tool.c there is a loop that compares a given long option with the available long options. It uses a memcmp call for that with the length of the given option.
This will cause out of bounds heap reads (that can be detected with address sanitizer), because many of the available options will be shorter than a given option.
Changing memcmp to strncmp corrects this bug and will avoid reading the option strings beyond a terminating zero. See attached patch. This patch is against the latest test version 3.2.91.