From bcb2f63fab0c6439b371180fae029bc562486066 Mon Sep 17 00:00:00 2001 From: Peter Keresztes Schmidt Date: Sun, 16 May 2021 15:20:16 +0200 Subject: [PATCH] Image: Fix a dynamic-stack-buffer-overflow when filling polygons Make sure we don't read past the end of global_edges when i = 0. We are moving the elements backwards so at most n_global_edges - 1 elements can be moved. ==6818==ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address 0x7ffff888ae00 at pc 0x7fe4fd7be8ae bp 0x7ffff888ac90 sp 0x7ffff888a440 READ of size 96 at 0x7ffff888ae00 thread T0 #0 0x7fe4fd7be8ad in __interceptor_memmove (/lib/x86_64-linux-gnu/libasan.so.5+0x378ad) #1 0x56524b2dba31 in Image::Fill(unsigned int, int, Polygon const&) /root/zoneminder/src/zm_image.cpp:2514 #2 0x56524af55530 in Monitor::DumpZoneImage(char const*) /root/zoneminder/src/zm_monitor.cpp:1510 #3 0x56524aeb38cb in main /root/zoneminder/src/zmu.cpp:574 #4 0x7fe4fb2b009a in __libc_start_main ../csu/libc-start.c:308 #5 0x56524aeb87a9 in _start (/root/zoneminder/cmake-build-relwithdebinfo-remote/src/zmu+0xf87a9) (cherry picked from commit 63cea992a0f28a8a683d5f4159d57c57d5ec2e30) --- src/zm_image.cpp | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/zm_image.cpp b/src/zm_image.cpp index 909b4db15..6b6fe8ef1 100644 --- a/src/zm_image.cpp +++ b/src/zm_image.cpp @@ -2511,8 +2511,7 @@ void Image::Fill(Rgb colour, int density, const Polygon &polygon) { Debug(9, "Moving global edge"); active_edges[n_active_edges++] = global_edges[i]; if ( i < (n_global_edges-1) ) { - //memcpy( &global_edges[i], &global_edges[i+1], sizeof(*global_edges)*(n_global_edges-i) ); - memmove( &global_edges[i], &global_edges[i+1], sizeof(*global_edges)*(n_global_edges-i) ); + memmove(&global_edges[i], &global_edges[i + 1], sizeof(*global_edges) * (n_global_edges - i - 1)); i--; } n_global_edges--;