Suspicious code in kdelibs-3.5.2 C Files
bartoschek at gmx.de
Sat Apr 22 12:47:15 BST 2006
hisOpcode is an int and iceConn->his_min_opcode is an char. I assume
that on this platform a char is signed. Assume that hisOpcode is larger
than 127 (for example 255) and that (iceConn->process_msg_info == NULL)
is true. Then line 544 assigns hisOpcode to iceConn->his_min_opcode.
This means that iceConn->his_min_opcode has now the value -1.
Then lines 600f are executed. The result of
hisOpcode - iceConn->his_min_opcode
is 255 - -1 = 256
But because iceConn->process_msg_info has only 256 elements the access
is out of bounds. In the worst case hisOpcode is 128 and then the
element 383 is overwritten.
double free. The first time that outputData is freed is line 472
strerror is used although <string.h> is not included
If this line is executed before line 286 is executed, then id is not
- dcop/KDE-ICE/connect.c:89 (similar)
If errorStringRet is NULL as indicated by line 63, then lines 73, 81 and
If prev->next is NULL as indicated by line 3098, then line 3107 crashes.
More information about the kde-core-devel