Suspicious code in kdelibs-3.5.2 C Files

Christoph Bartoschek bartoschek at
Sat Apr 22 12:47:15 BST 2006

- dcop/KDE-ICE/misc.c:601,604,607

hisOpcode is an int and iceConn->his_min_opcode is an char. I assume
that on this platform a char is signed. Assume that hisOpcode is larger
than 127 (for example 255) and that (iceConn->process_msg_info == NULL)
is true. Then line 544 assigns hisOpcode to iceConn->his_min_opcode.
This means that iceConn->his_min_opcode has now the value -1.

Then lines 600f are executed. The result of
 hisOpcode -	iceConn->his_min_opcode
is 255 - -1 = 256  

But because iceConn->process_msg_info has only 256 elements the access
is out of bounds. In the worst case hisOpcode is 128 and then the
element 383 is overwritten.

- dcop/dcopc.c:500

double free.  The first time that outputData is freed is line 472

- kdelibs-3.5.2/kdeprint/signal_proc.c:119

strerror is used although <string.h> is not included

- kdeprint/driverparse.c:291

If this line is executed before line 286 is executed, then id[0] is not

- dcop/KDE-ICE/protosetup.c:73
- dcop/KDE-ICE/connect.c:89 (similar)

If errorStringRet is NULL as indicated by line 63, then lines 73, 81 and
201 crash.

- libltdl/ltdl.c:3107

If prev->next is NULL as indicated by line 3098, then line 3107 crashes.

More information about the kde-core-devel mailing list