systembugtj / omaha

Automatically exported from code.google.com/p/omaha
Apache License 2.0
0 stars 0 forks source link

Incorrect validation in minicrt memcpy_s() and memmove_s() #22

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
The validation logic in memcpy_s() and memmove_s() 
(third_party/minicrt/memory.cc) is incorrect.  A patch is attached below.

As far as Omaha is concerned, the bug manifests itself in opt-win builds 
(which are linked against minicrt).  E.g.: When the meta installer from an 
opt-win build is run, it will terminate with no user-visible error.  
memcpy_s() is used by CString, which is used by the meta installer to 
construct path strings.  These path strings will fail to be initialized 
properly due to this bug, resulting in the abnormal termination.  
(Possibly related to issue 19).

Patch included inline (also attached):

Index: memory.cc
===================================================================
--- memory.cc   (revision 104)
+++ memory.cc   (working copy)
@@ -74,9 +74,9 @@
       return 0;
   }

-  if (dst != NULL) return EINVAL;
-  if (src != NULL) return EINVAL;
-  if (size_in_bytes >= count) return ERANGE;
+  if (dst == NULL) return EINVAL;
+  if (src == NULL) return EINVAL;
+  if (size_in_bytes < count) return ERANGE;

   memmove(dst, src, count);
   return 0;
@@ -90,9 +90,9 @@
         return 0;
   }

-  if (dst != NULL) return EINVAL;
-  if (src != NULL) return EINVAL;
-  if (size_in_bytes >= count) return ERANGE;
+  if (dst == NULL) return EINVAL;
+  if (src == NULL) return EINVAL;
+  if (size_in_bytes < count) return ERANGE;

   memcpy(dst, src, count);
   return 0;

Original issue reported on code.google.com by asa...@gmail.com on 10 May 2010 at 8:48

Attachments:

GoogleCodeExporter commented 9 years ago

Original comment by ryanmyers@google.com on 16 Mar 2012 at 11:14