From mboxrd@z Thu Jan  1 00:00:00 1970
Message-ID: <2e748c14611ecd8e653a1865598e418d@felloff.net>
Date: Tue, 14 Jan 2014 00:44:47 +0100
From: cinap_lenrek@felloff.net
To: 9fans@9fans.net
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Subject: [9fans] devdraw memory corruption
Topicbox-Message-UUID: b2bbab46-ead8-11e9-9d60-3106f5b1d025

when user does read of exactly 12*12 bytes on draw
ctl file, the snprint() adds one more \0 byte writing
beyond the user buffer and corrupting memory.

fix this by not snprint()ing the final space and add
it manually:

--- /sys/src/9/port/devdraw.c	Wed Dec 25 13:55:16 2013 UTC
+++ /sys/src/9/port/devdraw.c	Mon Jan 13 23:22:13 2014 UTC
@@ -1187,10 +1187,11 @@
  				error(Enodrawimage);
  			i = di->image;
  		}
-		n =
sprint(a, "%11d %11d %11s %11d %11d %11d %11d %11d %11d %11d %11d %11d ",
+		n =
sprint(a, "%11d %11d %11s %11d %11d %11d %11d %11d %11d %11d %11d %11d",
  			cl->clientid, cl->infoid, chantostr(buf, i->chan),
(i->flags&Frepl)==Frepl,
  			i->r.min.x, i->r.min.y, i->r.max.x, i->r.max.y,
  			i->clipr.min.x, i->clipr.min.y, i->clipr.max.x, i->clipr.max.y);
+		((char*)a)[n++] = ' ';
  		cl->infoid = -1;
  		break;

test program:

#include <u.h>
#include <libc.h>
#include <draw.h>

void
main(int argc, char *argv[])
{
	char buf[12*12+1];

	buf[12*12] = 'X';
	if(read(0, buf, 12*12) != 12*12)
		sysfatal("read: %r");
	if(buf[12*12] != 'X')
		sysfatal("corrupt");
}

term% ./8.out </dev/draw/new
corrupt

--
cinap