Closed exarkun closed 9 months ago
enc_matrix
should have k * n == 65536
elements (as allocated by NEW_GF_MATRIX
in fec_new
). index[i] * code->k
is 16777216
which is impossibly far beyond the end the allocated space for enc_matrix
, which it is used to index.
Since code->k
is effectively constant I suppose that index[i]
has been mis-computed at some point.
valgrind confirms this invalid read:
==1535306== Invalid read of size 8
==1535306== at 0x484FDED: memmove (in /nix/store/zxw3x6cmhpw4x09lhb2aim3zkynr9mld-valgrind-3.19.0/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==1535306== by 0x13062391: memcpy (string_fortified.h:29)
==1535306== by 0x13062391: build_decode_matrix_into_space (fec.c:521)
==1535306== by 0x13062BCD: fec_decode (fec.c:533)
==1535306== Address 0x12f81370 is 0 bytes after a block of size 65,536 alloc'd
==1535306== at 0x484679B: malloc (in /nix/store/zxw3x6cmhpw4x09lhb2aim3zkynr9mld-valgrind-3.19.0/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==1535306== by 0x13061E99: fec_new (fec.c:449)
==1535306== by 0x130603E1: Decoder_init (_fecmodule.c:363)
==1535306== by 0x4977AD6: type_call (in /nix/store/rc9cz7z4qlgmsbwvpw2acig5g2rdws46-python3-3.10.5/lib/libpython3.10.so.1.0)
==1535306== by 0x4914363: _PyObject_MakeTpCall (in /nix/store/rc9cz7z4qlgmsbwvpw2acig5g2rdws46-python3-3.10.5/lib/libpython3.10.so.1.0)
==1535306== by 0x48C7509: _PyEval_EvalFrameDefault (in /nix/store/rc9cz7z4qlgmsbwvpw2acig5g2rdws46-python3-3.10.5/lib/libpython3.10.so.1.0)
==1535306== by 0x4A4205E: _PyEval_Vector (in /nix/store/rc9cz7z4qlgmsbwvpw2acig5g2rdws46-python3-3.10.5/lib/libpython3.10.so.1.0)
==1535306== by 0x4A426C7: PyEval_EvalCode (in /nix/store/rc9cz7z4qlgmsbwvpw2acig5g2rdws46-python3-3.10.5/lib/libpython3.10.so.1.0)
==1535306== by 0x4AC6D8C: run_mod (in /nix/store/rc9cz7z4qlgmsbwvpw2acig5g2rdws46-python3-3.10.5/lib/libpython3.10.so.1.0)
==1535306== by 0x4AD3741: _PyRun_SimpleFileObject (in /nix/store/rc9cz7z4qlgmsbwvpw2acig5g2rdws46-python3-3.10.5/lib/libpython3.10.so.1.0)
==1535306== by 0x4AD3D1A: _PyRun_AnyFileObject (in /nix/store/rc9cz7z4qlgmsbwvpw2acig5g2rdws46-python3-3.10.5/lib/libpython3.10.so.1.0)
==1535306== by 0x4AD7EDE: Py_RunMain (in /nix/store/rc9cz7z4qlgmsbwvpw2acig5g2rdws46-python3-3.10.5/lib/libpython3.10.so.1.0)
and the idea that enc_matrix
is 65536 bytes long.
Huh, index
is a parameter to fec_decode
- not a value computed in fec.c
. So these values seem to come from the Python bindings.
The Python code computes index
correctly as far as I can tell, though.
The loop variable i
in build_decode_matrix_into_space
is unsigned char
. k
is unsigned [int]
. The loop condition is i < k
which will never be false for k == 256
. The loop runs and runs until it incorrectly overwrites some memory that leads to the corruption of index
.
Reproducer:
Results:
stack trace:
Apparent source line in
fec.c
:k == 256
*code == {magic = 4271885820, k = 256, n = 256, enc_matrix = 0x53c010 "\001"}
i ==92
index[i] == 65536