Reading past start of a stack allocated buffer in cache_flush()

[GoogleCodeExporter]

The cache_flush function does an invalid stack buffer read when the size 
parameter passed in is 0.

We found the problem when running MinIni along with some code that was compiled 
with the Address Sanitizer plugin of Clang 3.4.

If you look at the last line of the function, it adds pos to the buffer but it 
will be zero if the size that was passed in is zero. This results in reading to 
the left of the buffer and it may cause weird issues on an embedded system 
where that address may be invalid.

static int cache_flush(TCHAR *buffer, int *size,
                      INI_FILETYPE *rfp, INI_FILETYPE *wfp, INI_FILEPOS *mark)
{
  int pos = 0;

  (void)ini_seek(rfp, mark);
  assert(buffer != NULL);
  buffer[0] = '\0';
  assert(size != NULL);
  while (pos < *size) {
    (void)ini_read(buffer + pos, INI_BUFFERSIZE - pos, rfp);
    pos += _tcslen(buffer + pos);
    assert(pos <= *size);
  } /* while */
  if (buffer[0] != '\0')
    (void)ini_write(buffer, wfp);
  (void)ini_tell(rfp, mark);  /* update mark */
  *size = 0;
  /* return whether the buffer ended with a line termination */
  return (_tcscmp(buffer + pos - _tcslen(INI_LINETERM), INI_LINETERM) == 0);

What version of the product are you using? On what operating system?
1.2b, compiled on Ubuntu Linux 12.10 x64.

Original issue reported on code.google.com by shreyas....@eroad.co.nz on 27 Mar 2014 at 9:54

[GoogleCodeExporter]

Confirmed.

Original comment by thiadmer...@gmail.com on 28 Mar 2014 at 3:34

• Changed state: Started
• Added labels: Priority-High
• Removed labels: Priority-Medium

[GoogleCodeExporter]

Fix committed in revision 49.

Original comment by thiadmer...@gmail.com on 30 Apr 2014 at 10:11

• Changed state: Fixed

[GoogleCodeExporter]

That's great, thanks for the fix!

Original comment by shreyas....@eroad.co.nz on 30 Apr 2014 at 9:45