Nyaaori/rockbox
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
rockbox/apps
History
Aidan MacDonald 32f1418c5a buffering: fix buffer overflows with bitmap loading 
In some circumstances it was possible for a bitmap to overflow its
buffer and overwrite the next handle. The easiest way to trigger it
is with a highly compressed JPEG that is decoded to a large bitmap.
Because the JPEG file size is used to determine how much to allocate
this would cause an obvious buffer overflow when the JPEG is smaller
than the decoded bitmap. Fix this by using the decoded bitmap size as
the allocation size. Some overhead must be added to deal with JPEGs,
but it will be freed once the image is loaded.

A less obvious possibility is the fact that add_handle() will allow
a handle to be added even if there's not enough space for the entire
allocation. This is generally beneficial because it allows the first
part of a file to be loaded while waiting for space to free up, but
for bitmaps it is not valid because the whole image is loaded at once.
Hence if there is not actually enough space in the buffer, the bitmap
load can again overflow the actual free space and overwrite the next
handle.

The buffering code supports an H_ALLOCALL flag for allocations that
need the free space available immediately, so use it for bitmaps to
avoid that bug.

load_image() had a sketchy-looking check for free space which stopped
me from triggering the bug with simple tests, but since guessing the
free space is obviously a bad idea when the caller *knows* how much
free space there really is, remove that guess and let the caller tell
load_image() the real deal.

Change-Id: If62a58759705d83c16ee5b50f26bcbccc3f6c01f
2022-04-09 15:20:57 +01:00
..
bitmaps Rename symbols of FiiO M3K Linux-based port 2021-02-27 23:53:28 +00:00
gui [COV] folder_select buffer overrun 2022-03-18 08:59:32 -04:00
hosted/android keyboard add ability to specify temporary custom layouts 2020-07-22 06:48:28 -04:00
iap FS#13287 - Load a newly saved playlist and resume where it was 2021-05-03 20:10:27 +00:00
keymaps FiiO M3K: audio recording 2022-01-29 19:28:03 +00:00
lang FS13338: Updated Slovak translation (Matej Golian) 2022-03-31 21:33:53 -04:00
menus alarm_menu share setter with settime 2022-03-30 09:05:28 -04:00
plugins keyboard.c Use viewports, move text box pos 2022-04-07 19:46:56 -04:00
radio Fix red in bc416ff590 2021-04-10 21:06:41 -04:00
recorder jpeg: provide a rough estimate of decoder memory overhead 2022-04-09 15:20:57 +01:00
abrepeat.c [3/4] Completely remove HWCODEC support 2020-07-24 21:20:13 +00:00
abrepeat.h [3/4] Completely remove HWCODEC support 2020-07-24 21:20:13 +00:00
action.c action.c keyremap clean-up add logf to core_keymap.c 2022-02-26 00:40:42 -05:00
action.h action.c keyremap clean-up add logf to core_keymap.c 2022-02-26 00:40:42 -05:00
alarm_menu.c alarm_menu share setter with settime 2022-03-30 09:05:28 -04:00
alarm_menu.h
appevents.h
applimits.h
apps.make Android: use APPEXTRA instead of makefile hack 2011-03-11 16:08:36 +00:00
audio_path.c nwza860: fix simulator build 2020-10-19 03:39:33 +00:00
audio_thread.c
audio_thread.h
beep.c
bookmark.c whitespace fixes 2021-10-21 22:42:01 +02:00
bookmark.h
buffering.c buffering: fix buffer overflows with bitmap loading 2022-04-09 15:20:57 +01:00
buffering.h Remove execute bit from file permissions from recent commit 2021-03-02 02:10:53 +00:00
codec_thread.c codec_thread.c don't overrun audio_formats[] array 2021-08-11 10:56:14 -04:00
codec_thread.h
codecs.c [3/4] Completely remove HWCODEC support 2020-07-24 21:20:13 +00:00
core_asmdefs.c
core_keymap.c action.c keyremap clean-up add logf to core_keymap.c 2022-02-26 00:40:42 -05:00
core_keymap.h Core Keyremap Allow setting keymap from plugin 2022-02-23 21:38:27 -05:00
cuesheet.c Allow cuesheet index offsets longer than 99 minutes. 2022-04-07 20:10:19 -04:00
cuesheet.h [4/4] Remove HAVE_LCD_BITMAP, as it's now the only choice. 2020-07-24 21:20:13 +00:00
debug_menu.c debug_menu dbg_buffering_thread show more on tiny screens 2022-03-22 17:55:23 -04:00
debug_menu.h
enc_config.c enc_config.c don't overrun mp3_enc_bitr[] array 2021-08-11 11:00:03 -04:00
enc_config.h
features.txt sync clock with RDS time 2022-02-07 22:04:10 +01:00
filetree.c filetree.c cleanup 2022-03-21 08:14:30 -04:00
filetree.h FS#13287 - Load a newly saved playlist and resume where it was 2021-05-03 20:10:27 +00:00
filetypes.c misc: Add 'mpga' as a valid file extension 2022-02-01 13:23:39 -05:00
filetypes.h filetree.c move static and stack allocated buffers around 2021-10-20 16:05:21 -04:00
fracmul.h
keyboard.h [4/4] Remove HAVE_LCD_BITMAP, as it's now the only choice. 2020-07-24 21:20:13 +00:00
language.c language.c fix possible buffer overrun 2021-08-03 00:57:35 +00:00
language.h
logfdisp.c [4/4] Remove HAVE_LCD_BITMAP, as it's now the only choice. 2020-07-24 21:20:13 +00:00
logfdisp.h Updated our source code header to explicitly mention that we are GPL v2 or 2008-06-28 18:10:04 +00:00
main.c LastFm remove scrobbler from core make a TSR plugin WIP 2022-03-26 02:50:11 -04:00
menu.c Fix glitches with custom list title viewports 2022-02-06 11:20:34 -05:00
menu.h do_menu pass internal synclist reference to callback 2020-07-19 22:10:26 +00:00
misc.c LastFm remove scrobbler from core make a TSR plugin WIP 2022-03-26 02:50:11 -04:00
misc.h add function string_option to misc.c use in skin_parser.c 2022-03-13 03:45:00 -04:00
onplay.c Fix glitches with custom list title viewports 2022-02-06 11:20:34 -05:00
onplay.h PictureFlow: Utilize "Current Playlist" menu (+ GS fixes) 2022-01-04 18:00:49 -05:00
open_plugin.c root_menu.c fix recent regression for shortcuts add resume for plugins 2021-11-07 01:49:15 -05:00
open_plugin.h Open Plugins Ignore hash for lang Ids 2021-10-23 02:45:54 -04:00
pcmbuf.c Additional Single Mode options 2021-12-11 11:43:39 -05:00
pcmbuf.h
playback.c playback.c use file_exists rather than open to check for bad files 2022-03-11 19:45:58 -05:00
playback.h Option to switch off album art or to prefer file over embedded 2022-01-22 08:29:40 -05:00
playlist.c playlist: use path_strip_last_volume, clarify path conventions 2022-04-01 11:40:02 -04:00
playlist.h [3/4] Completely remove HWCODEC support 2020-07-24 21:20:13 +00:00
playlist_catalog.c playlist_catalog fix strcpy overlap, potential buffer overrun 2021-08-02 02:27:43 +00:00
playlist_catalog.h
playlist_menu.h
playlist_viewer.c Fix glitches with custom list title viewports 2022-02-06 11:20:34 -05:00
playlist_viewer.h
plugin.c add way to lock portion of plugin buffer for TSR plugins 2022-03-25 18:16:11 -04:00
plugin.h add way to lock portion of plugin buffer for TSR plugins 2022-03-25 18:16:11 -04:00
rbcodec_helpers.c
rbcodecconfig.h
rbcodecplatform.h
README
root_menu.c BUGFIX root_menu.c 2022-03-18 19:45:01 -04:00
root_menu.h Add open_plugin to core 2020-08-17 10:15:14 -04:00
screen_access.c Whitespace cleanup on fb_viewport Rewrite 2020-10-26 12:38:22 -04:00
screen_access.h Whitespace cleanup on fb_viewport Rewrite 2020-10-26 12:38:22 -04:00
screens.c alarm_menu share setter with settime 2022-03-30 09:05:28 -04:00
screens.h alarm_menu share setter with settime 2022-03-30 09:05:28 -04:00
settings.c Option to switch off album art or to prefer file over embedded 2022-01-22 08:29:40 -05:00
settings.h LastFm remove scrobbler from core make a TSR plugin WIP 2022-03-26 02:50:11 -04:00
settings_list.c LastFm remove scrobbler from core make a TSR plugin WIP 2022-03-26 02:50:11 -04:00
settings_list.h Add open_plugin to core 2020-08-17 10:15:14 -04:00
shortcuts.c replace more strcmp if then trees with string_option() 2022-03-13 14:31:02 -04:00
shortcuts.h
sound_menu.h
SOURCES LastFm remove scrobbler from core make a TSR plugin WIP 2022-03-26 02:50:11 -04:00
status.c [2/4] get rid of HAVE_LCD_CHARCELLS 2020-07-24 21:20:13 +00:00
status.h [2/4] get rid of HAVE_LCD_CHARCELLS 2020-07-24 21:20:13 +00:00
tagcache.c tagcache.c remove 16-bit compression for add_uniqbuf 2022-03-22 00:22:42 -04:00
tagcache.h tagtree/tagcache add new clause operators begins/ends _oneof 2022-03-19 02:24:14 -04:00
tagnavi.config tagtree: Support user override config file 2021-12-24 10:41:27 -05:00
tagtree.c tagtree/tagcache add new clause operators begins/ends _oneof 2022-03-19 02:24:14 -04:00
tagtree.h
talk.c voice: Allow voiced date format to be overridden 2021-09-28 21:58:11 -04:00
talk.h talk: Explicitly cast -1 as unsigned before a left shift. 2021-07-20 00:09:33 +00:00
tree.c Use USB events for storing plugin_menu state 2021-10-31 12:42:24 -04:00
tree.h
usb_keymaps.c Document intentional fallthroughs + fix harmless unintended ones 2021-08-04 18:59:46 +00:00
usb_keymaps.h
voice_thread.c voice_thread.c ensure cpu gets re-boosted after Q_VOICE_STOP event 2021-09-29 01:18:00 -04:00
voice_thread.h voice: Allow voice prompt volume to be configurable 2021-03-07 12:51:36 +00:00

README 

For general information see: docs/README
For API information see: docs/API