Opened 9 years ago

Closed 9 years ago

Last modified 9 years ago

#5097 closed Bug (fixed)

Rare buffer overflow (piece index too big)

Reported by: grai Owned by: jordan
Priority: Normal Milestone: 2.74
Component: libtransmission Version: 2.71
Severity: Normal Keywords:
Cc:

Description

I think the return value of getBytePiece() in libtransmission/torrent.c should be clamped to pieceCount-1, in case the file is 0 bytes long and at the end of the torrent, and the total torrent size is a multiple of the piece size.

Probably rare, but I have at least 1 torrent like that. Found with valgrind after segfault.

Attachments (1)

tr-5097-rev-01.diff (651 bytes) - added by jordan 9 years ago.

Download all attachments as: .zip

Change History (8)

comment:1 Changed 9 years ago by grai

To be clear, the out-of-bounds assignments happen afterwards in functions like tr_torrentInitFilePriority, loadProgress, and setFileDND. Similar problem to #589.

comment:2 Changed 9 years ago by jordan

  • Milestone changed from None Set to 2.80
  • Owner set to jordan
  • Status changed from new to assigned

Thanks grai!

comment:3 Changed 9 years ago by jordan

  • Component changed from Transmission to libtransmission

Changed 9 years ago by jordan

comment:4 Changed 9 years ago by jordan

grai, does tr-5097-rev-01.diff fix the problem for you?

comment:5 Changed 9 years ago by grai

Yep, that fixes it.

comment:6 Changed 9 years ago by jordan

  • Resolution set to fixed
  • Status changed from assigned to closed

fixed in r13592.

comment:7 Changed 9 years ago by jordan

  • Milestone changed from 2.80 to 2.74
Note: See TracTickets for help on using tickets.