summaryrefslogtreecommitdiffstats
path: root/packaging/ios/iPhoneSimulatorCMakeToolchain
diff options
context:
space:
mode:
authorGravatar Salvador Cuñat <salvador.cunat@gmail.com>2020-08-02 10:39:39 +0200
committerGravatar Dirk Hohndel <dirk@hohndel.org>2020-08-13 10:02:12 -0700
commite3a158624bd5b15451626907a30185ec4aaf0d87 (patch)
tree936436bf80dcf591ca3f84a4d1b56d52d5ef58f9 /packaging/ios/iPhoneSimulatorCMakeToolchain
parent45812da0463451cd61eacb617ce30cb40e50844a (diff)
downloadsubsurface-e3a158624bd5b15451626907a30185ec4aaf0d87.tar.gz
smtk-import: Workaround segfault in mdbtools memcpy call
Smtk2ssrf has a segfault which matches quite well glibc's CVE-2019-6488 (except for the x32 part). It came from a call to memcpy in mdb_ole_read() func, used to get the header and the profile of a dive from the database. May be it could be fixed in libmdb but Mdbtools project has been stalled for the past 5 years so ... The segfault seems to be triggered by an empty profile in the first dive in the database (a pretty common case in older Aladin DCs due to their little memmory). The only special thing here is the fact it's the first dive in the database structure (not the first by its index). We can avoid the crash if we don't call mdb_ole_read_full() func on zero sized profile field. The problem here is we can't get the size of the fields and build the MdbColumn in the same roud. Happily we just need the MdbColumn struct for the dive profile and header. So, we can change the previous approach using MdbColumns through almost all functions to a simpler one using the already bounded strings by smtk_open_table() and just using the col[n]->bind_pointer in the main function where the columns are built to be used by mdb_ole_read_full(). Reported-by: Robert C. Helling <helling@atdotde.de> Signed-off-by: Salvador Cuñat <salvador.cunat@gmail.com>
Diffstat (limited to 'packaging/ios/iPhoneSimulatorCMakeToolchain')
0 files changed, 0 insertions, 0 deletions