From bcb2f63fab0c6439b371180fae029bc562486066 Mon Sep 17 00:00:00 2001 From: Peter Keresztes Schmidt Date: Sun, 16 May 2021 15:20:16 +0200 Subject: [PATCH 1/2] Image: Fix a dynamic-stack-buffer-overflow when filling polygons Make sure we don't read past the end of global_edges when i = 0. We are moving the elements backwards so at most n_global_edges - 1 elements can be moved. ==6818==ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address 0x7ffff888ae00 at pc 0x7fe4fd7be8ae bp 0x7ffff888ac90 sp 0x7ffff888a440 READ of size 96 at 0x7ffff888ae00 thread T0 #0 0x7fe4fd7be8ad in __interceptor_memmove (/lib/x86_64-linux-gnu/libasan.so.5+0x378ad) #1 0x56524b2dba31 in Image::Fill(unsigned int, int, Polygon const&) /root/zoneminder/src/zm_image.cpp:2514 #2 0x56524af55530 in Monitor::DumpZoneImage(char const*) /root/zoneminder/src/zm_monitor.cpp:1510 #3 0x56524aeb38cb in main /root/zoneminder/src/zmu.cpp:574 #4 0x7fe4fb2b009a in __libc_start_main ../csu/libc-start.c:308 #5 0x56524aeb87a9 in _start (/root/zoneminder/cmake-build-relwithdebinfo-remote/src/zmu+0xf87a9) (cherry picked from commit 63cea992a0f28a8a683d5f4159d57c57d5ec2e30) --- src/zm_image.cpp | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/zm_image.cpp b/src/zm_image.cpp index 909b4db15..6b6fe8ef1 100644 --- a/src/zm_image.cpp +++ b/src/zm_image.cpp @@ -2511,8 +2511,7 @@ void Image::Fill(Rgb colour, int density, const Polygon &polygon) { Debug(9, "Moving global edge"); active_edges[n_active_edges++] = global_edges[i]; if ( i < (n_global_edges-1) ) { - //memcpy( &global_edges[i], &global_edges[i+1], sizeof(*global_edges)*(n_global_edges-i) ); - memmove( &global_edges[i], &global_edges[i+1], sizeof(*global_edges)*(n_global_edges-i) ); + memmove(&global_edges[i], &global_edges[i + 1], sizeof(*global_edges) * (n_global_edges - i - 1)); i--; } n_global_edges--; From 730a057e18f98def0bbf25171df2988020e12d5e Mon Sep 17 00:00:00 2001 From: Peter Keresztes Schmidt Date: Mon, 17 May 2021 00:20:05 +0200 Subject: [PATCH 2/2] LocalCamera: Fix some format warnings reported by clang `capturePixFormat` and `imagePixFormat` are no enum entries. Do no try to log them as FourCC. (cherry picked from commit 77068163a322462a5ffb56ffc3a9cbf425957f9d) --- src/zm_local_camera.cpp | 46 +++++++++++++++++++++++++++-------------- 1 file changed, 30 insertions(+), 16 deletions(-) diff --git a/src/zm_local_camera.cpp b/src/zm_local_camera.cpp index b72c38015..3ff3608c0 100644 --- a/src/zm_local_camera.cpp +++ b/src/zm_local_camera.cpp @@ -381,7 +381,11 @@ LocalCamera::LocalCamera( } else { if ( capture ) { Info("Selected capture palette: %s (0x%02hhx%02hhx%02hhx%02hhx)", - palette_desc, (palette>>24)&0xff, (palette>>16)&0xff, (palette>>8)&0xff, (palette)&0xff); + palette_desc, + static_cast((palette >> 24) & 0xff), + static_cast((palette >> 16) & 0xff), + static_cast((palette >> 8) & 0xff), + static_cast((palette) & 0xff)); } } } @@ -438,8 +442,10 @@ LocalCamera::LocalCamera( } else { if ( capture ) { #if HAVE_LIBSWSCALE - Info("No direct match for the selected palette (0x%02hhx%02hhx%02hhx%02hhx) and target colorspace (%02u). Format conversion is required, performance penalty expected", - (capturePixFormat>>24)&0xff,((capturePixFormat>>16)&0xff),((capturePixFormat>>8)&0xff),((capturePixFormat)&0xff), colours); + Info( + "No direct match for the selected palette (%d) and target colorspace (%02u). Format conversion is required, performance penalty expected", + capturePixFormat, + colours); #else Info("No direct match for the selected palette and target colorspace. Format conversion is required, performance penalty expected"); #endif @@ -463,13 +469,11 @@ LocalCamera::LocalCamera( if ( capture ) { #if LIBSWSCALE_VERSION_CHECK(0, 8, 0, 8, 0) if ( !sws_isSupportedInput(capturePixFormat) ) { - Error("swscale does not support the used capture format: 0x%02hhx%02hhx%02hhx%02hhx", - (capturePixFormat>>24)&0xff,((capturePixFormat>>16)&0xff),((capturePixFormat>>8)&0xff),((capturePixFormat)&0xff)); + Error("swscale does not support the used capture format: %d", capturePixFormat); conversion_type = 2; /* Try ZM format conversions */ } if ( !sws_isSupportedOutput(imagePixFormat) ) { - Error("swscale does not support the target format: 0x%02hhx%02hhx%02hhx%02hhx", - (imagePixFormat>>24)&0xff,((imagePixFormat>>16)&0xff),((imagePixFormat>>8)&0xff),((imagePixFormat)&0xff)); + Error("swscale does not support the target format: 0x%d", imagePixFormat); conversion_type = 2; /* Try ZM format conversions */ } #endif @@ -1212,14 +1216,14 @@ uint32_t LocalCamera::AutoSelectFormat(int p_colours) { /* Got a format. Copy it to the array */ strcpy(fmt_desc[nIndex], (const char*)(fmtinfo.description)); fmt_fcc[nIndex] = fmtinfo.pixelformat; - + Debug(3, "Got format: %s (0x%02hhx%02hhx%02hhx%02hhx) at index %d", - fmt_desc[nIndex], - (fmt_fcc[nIndex]>>24)&0xff, - (fmt_fcc[nIndex]>>16)&0xff, - (fmt_fcc[nIndex]>>8)&0xff, - (fmt_fcc[nIndex])&0xff, - nIndex); + fmt_desc[nIndex], + static_cast((fmt_fcc[nIndex] >> 24) & 0xff), + static_cast((fmt_fcc[nIndex] >> 16) & 0xff), + static_cast((fmt_fcc[nIndex] >> 8) & 0xff), + static_cast((fmt_fcc[nIndex]) & 0xff), + nIndex); /* Proceed to the next index */ memset(&fmtinfo, 0, sizeof(fmtinfo)); @@ -1248,13 +1252,23 @@ uint32_t LocalCamera::AutoSelectFormat(int p_colours) { for ( unsigned int j=0; j < nIndex; j++ ) { if ( preferedformats[i] == fmt_fcc[j] ) { Debug(6, "Choosing format: %s (0x%02hhx%02hhx%02hhx%02hhx) at index %u", - fmt_desc[j],fmt_fcc[j]&0xff, (fmt_fcc[j]>>8)&0xff, (fmt_fcc[j]>>16)&0xff, (fmt_fcc[j]>>24)&0xff ,j); + fmt_desc[j], + static_cast(fmt_fcc[j] & 0xff), + static_cast((fmt_fcc[j] >> 8) & 0xff), + static_cast((fmt_fcc[j] >> 16) & 0xff), + static_cast((fmt_fcc[j] >> 24) & 0xff), + j); /* Found a format! */ nIndexUsed = j; break; } else { Debug(6, "No match for format: %s (0x%02hhx%02hhx%02hhx%02hhx) at index %u", - fmt_desc[j],fmt_fcc[j]&0xff, (fmt_fcc[j]>>8)&0xff, (fmt_fcc[j]>>16)&0xff, (fmt_fcc[j]>>24)&0xff ,j); + fmt_desc[j], + static_cast(fmt_fcc[j] & 0xff), + static_cast((fmt_fcc[j] >> 8) & 0xff), + static_cast((fmt_fcc[j] >> 16) & 0xff), + static_cast((fmt_fcc[j] >> 24) & 0xff), + j); } } }