fix: Out-of-bounds memory access in strtok.

[eyal0]

This fixes #191

[eyal0]

This is currently a draft. It has a unit test but no fix yet.

[ooxi]

Thank you for the testcase! I think the best way forward is to set a default value for fd->filename in gerb_fopen. I was considering strduping the filename argument, but that might lead to even more memory leaks.

Thus I'll try setting it to nullptr first.

[ooxi]

I have tried both nullptr and "" as default initialization. In both cases the Conditional jump or move depends on uninitialised value message goes away, but valgrind does not pass, either.

However, I cannot make out the cause of the error. Do you see an error: https://github.com/ooxi/gerbv/actions/runs/5545198229/jobs/10123767309?

[eyal0]

==32056== 28 bytes in 1 blocks are definitely lost in loss record 110 of 296
==32056==    at 0x483C855: malloc (vg_replace_malloc.c:393)
==32056==    by 0x506BE98: g_malloc (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6400.6)
==32056==    by 0x4865BD6: gerb_fgetstring (gerb_file.c:219)
==32056==    by 0x486BFC1: parse_rs274x (gerber.c:1450)
==32056==    by 0x486A68F: gerber_parse_file_segment (gerber.c:245)
==32056==    by 0x486E507: parse_gerb (gerber.c:770)
==32056==    by 0x486F148: gerbv_open_image (gerbv.c:571)
==32056==    by 0x486F59B: gerbv_open_layer_from_filename_with_color (gerbv.c:249)
==32056==    by 0x11B452: main (main.c:941)

@ooxi Setting it to nullptr or "" fixed the problem of trying to read bad memory. However, it exposed a different problem, which I also encountered, same as you! It's saying that there is memory that was allocated but never freed, and it shows the stack trace to that allocation. Along that path, I can see parse_rs274x (gerber.c:1450). In the code, it's here:

gerbv/src/gerber.c

Lines 1450 to 1480 in caa6560

	gchar *includeFilename = gerb_fgetstring(fd, '*');
	if (includeFilename) {
	gchar *fullPath;
	if (!g_path_is_absolute(includeFilename)) {
	fullPath = g_build_filename (directoryPath, includeFilename, NULL);
	} else {
	fullPath = g_strdup (includeFilename);
	}
	if (levelOfRecursion < 10) {
	gerb_file_t *includefd = NULL;
	includefd = gerb_fopen(fullPath);
	if (includefd) {
	gerber_parse_file_segment (levelOfRecursion + 1, image, state, curr_net, stats, includefd, directoryPath);
	gerb_fclose(includefd);
	} else {
	gerbv_stats_printf(error_list, GERBV_MESSAGE_ERROR, -1,
	_("Included file \"%s\" cannot be found "
	"at line %ld in file \"%s\""),
	fullPath, *line_num_p, fd->filename);
	}
	g_free (fullPath);
	} else {
	gerbv_stats_printf(error_list, GERBV_MESSAGE_ERROR, -1,
	_("Parser encountered more than 10 levels of "
	"include file recursion which is not allowed "
	"by the RS-274X spec"));
	}
	}

Looking into the code for that call to gerb_fgetstring, I see:

gerbv/src/gerb_file.c

Lines 196 to 224 in caa6560

	gerb_fgetstring(gerb_file_t *fd, char term)
	{
	char *strend = NULL;
	char *newstr;
	char *i, *iend;
	int len;
	iend = fd->data + fd->datalen;
	for (i = fd->data + fd->ptr; i < iend; i++) {
	if (*i == term) {
	strend = i;
	break;
	}
	}
	if (strend == NULL)
	return NULL;
	len = strend - (fd->data + fd->ptr);
	newstr = (char *)g_malloc(len + 1);
	if (newstr == NULL)
	return NULL;
	strncpy(newstr, fd->data + fd->ptr, len);
	newstr[len] = '\0';
	fd->ptr += len;
	return newstr;
	} /* gerb_fgetstring */

There's a g_malloc in there with no corresponding free. So it needs to be free'd! We've never caught this before in valgrind because we have never covered this part of the code with valgrind. :-( So that's where the memory is getting lost. You can see that the size lost is 28 bytes and the file name that @iosifache chose was parse_aperture_strtok.2.poc and that's 27 letters. Add one for the terminating null and it's 28, same as the malloc size.

[ooxi]

Thank you very much!