Bug: Accessing an array out of bounds in CECDeviceParams (Plugin::HdmiCecSink) #5933

npoltorapavlo · 2024-12-11T11:38:47Z

Problem/Opportunity

CECDeviceParams class inits "Language m_currentLanguage;" with empty string: "".
Language constructor passes empty string "" and constant "MAX_LEN = 3" to CECBytes constructor that iterates through the empty buffer 3 times. Accessing an array out of bounds gives no error, but causes Undefined Behavior / SIGSEGV.

rdkservices/HdmiCecSink/HdmiCecSink.h

Line 144 in 5205a91

    
           : m_deviceType(0), m_logicalAddress(0),m_physicalAddr(0x0f,0x0f,0x0f,0x0f),m_cecVersion(0),m_vendorID(0,0,0),m_osdName(""),m_powerStatus(0),m_currentLanguage("")

    enum {
        MAX_LEN = 3,
    };
    Language(const char *str) : CECBytes((const uint8_t*)str, MAX_LEN) {
        validate();
    }

 	CECBytes(const uint8_t *buf, size_t len) {
        if (buf && len) {
            for (size_t i = 0; i < len; i++) {
                str.push_back(buf[i]);
            }
        }
	}

Steps to reproduce

Build/run with ASAN.

Expected Behavior

No Undefined Behavior / SIGSEGV.

Actual Behavior

SIGSEGV

Notes (Optional)

No response

npoltorapavlo added the bug Something isn't working label Dec 11, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bug: Accessing an array out of bounds in CECDeviceParams (Plugin::HdmiCecSink) #5933

Bug: Accessing an array out of bounds in CECDeviceParams (Plugin::HdmiCecSink) #5933

npoltorapavlo commented Dec 11, 2024

Bug: Accessing an array out of bounds in CECDeviceParams (Plugin::HdmiCecSink) #5933

Bug: Accessing an array out of bounds in CECDeviceParams (Plugin::HdmiCecSink) #5933

Comments

npoltorapavlo commented Dec 11, 2024

Problem/Opportunity

Steps to reproduce

Expected Behavior

Actual Behavior

Notes (Optional)