Fix regions array buffer overflow in egs++ viewer

After compiling egs_view with asan support, there was a buffer overflow error traced back to the memcpy call in ImageWindow::paintEvent. ERROR: AddressSanitizer: dynamic-stack-buffer-overflow ... READ of size 400 at 0x7ffe71889e40 thread T0 #0 0x7f543595ecdf (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x99cdf) nrc-cnrc#1 0x55dc3acdbb15 in memcpy nrc-cnrc#2 0x55dc3acdbb15 in ImageWindow::paintEvent(QPaintEvent*) nrc-cnrc#3 0x7f5434f86047 in QWidget::event(QEvent*) The issue is that memcpy will always copy sizeof(lastRegions) bytes into the array regions. But before this change, regions could be shorter than lastRegions, leading to a buffer overflow. After this change, maxreg is always set to N_REG_MAX, the length of lastRegions.
mxxo · Jun 27, 2022 · c71de66 · c71de66
1 parent a6fc389
commit c71de66
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/HEN_HOUSE/egs++/view/image_window.cpp b/HEN_HOUSE/egs++/view/image_window.cpp
@@ -335,7 +335,7 @@ void ImageWindow::paintEvent(QPaintEvent *) {
         yscreen = -(xyMouse.y()-h/2)*yscale/h;
         EGS_Vector xp(q.screen_xo + q.screen_v2*yscreen + q.screen_v1*xscreen);
 
-        int maxreg=min(int((h-145)/15),N_REG_MAX);
+        int maxreg = N_REG_MAX;
         int regions[maxreg];
         EGS_Vector colors[N_REG_MAX];
         EGS_Vector hitCoord(0,0,0);