Suspicious code in kdelibs-3.5.2 C Files
Christoph Bartoschek
bartoschek at gmx.de
Sat Apr 22 12:47:15 BST 2006
- dcop/KDE-ICE/misc.c:601,604,607
hisOpcode is an int and iceConn->his_min_opcode is an char. I assume
that on this platform a char is signed. Assume that hisOpcode is larger
than 127 (for example 255) and that (iceConn->process_msg_info == NULL)
is true. Then line 544 assigns hisOpcode to iceConn->his_min_opcode.
This means that iceConn->his_min_opcode has now the value -1.
Then lines 600f are executed. The result of
hisOpcode - iceConn->his_min_opcode
is 255 - -1 = 256
But because iceConn->process_msg_info has only 256 elements the access
is out of bounds. In the worst case hisOpcode is 128 and then the
element 383 is overwritten.
- dcop/dcopc.c:500
double free. The first time that outputData is freed is line 472
- kdelibs-3.5.2/kdeprint/signal_proc.c:119
strerror is used although <string.h> is not included
- kdeprint/driverparse.c:291
If this line is executed before line 286 is executed, then id[0] is not
initialized.
- dcop/KDE-ICE/protosetup.c:73
- dcop/KDE-ICE/connect.c:89 (similar)
If errorStringRet is NULL as indicated by line 63, then lines 73, 81 and
201 crash.
- libltdl/ltdl.c:3107
If prev->next is NULL as indicated by line 3098, then line 3107 crashes.
More information about the kde-core-devel
mailing list