From bb3d3fc77aed962484757ad0f4578118e4673fcf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Van=C4=9Bk?= Date: Thu, 5 Aug 2021 19:29:54 +0200 Subject: [PATCH 1/2] Access graph id through g->id struct graph * is already available through g variable, let's use it directly. --- src/specials.cc | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/src/specials.cc b/src/specials.cc index 5b8930ac3..c93a83872 100644 --- a/src/specials.cc +++ b/src/specials.cc @@ -596,12 +596,11 @@ void new_graph(struct text_object *obj, char *buf, int buf_max_size, } #endif - int graph_id = ((struct graph *)obj->special_data)->id; - s->graph = retrieve_graph(graph_id, s->graph_width); + s->graph = retrieve_graph(g->id, s->graph_width); graph_append(s, val, g->flags); - store_graph(graph_id, s); + store_graph(g->id, s); if (out_to_stdout.get(*state)) { new_graph_in_shell(s, buf, buf_max_size); } } From fbe651084edac040d7f4118110901e8bdecae5bc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Van=C4=9Bk?= Date: Thu, 5 Aug 2021 19:37:20 +0200 Subject: [PATCH 2/2] Avoid out-of-bounds write in graph_append function Retrieve graph only when s->graph is already allocated, which also mens that the s->graph_width is bigger than 0, and thus avoid out-of-bounds write in graph_append function. Prior to 594d0c85baff ("Fix bug of "Graph reset when using conditional color"") s->graph was not (re)allocated when s->graph_width and s->graph_allocated were equal to zero, therefore, s->graph stayed equal to nullptr. This effectively meant that graph_append function returned immediately after call and did nothing. This behavior changed with introduction of std::map graphs, because its retrieve_graph support function allocates s->graph even for s->graph_width equal to 0. Then, subsequent call of graph_append can continue and the first element of the graph is set later in this function in line: graph->graph[0] = f; /* add new data */ causing out-of-bounds write, as there is not enough space in array of zero length. This write messes up internal data of memory allocator (at least in musl libc case) and the application later segfaults in attempt to free this memory in store_graph function. Fixes: 594d0c85baff ("Fix bug of "Graph reset when using conditional color"") --- src/specials.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/specials.cc b/src/specials.cc index c93a83872..bbca9617d 100644 --- a/src/specials.cc +++ b/src/specials.cc @@ -596,7 +596,7 @@ void new_graph(struct text_object *obj, char *buf, int buf_max_size, } #endif - s->graph = retrieve_graph(g->id, s->graph_width); + if (s->graph) { s->graph = retrieve_graph(g->id, s->graph_width); } graph_append(s, val, g->flags);