fix: Out-of-bounds memory access of filename.

Put all the filename allocation and deallocation into the `gerb_fopen` and `gerb_fclose` functions so that the caller doesn't need to deal with this anymore. Also, free includeFilename. It was allocated as part of `gerb_fgetstring()` above but never freed properly. Unit tests added to valgrind.
gerbv · Jul 13, 2023 · 5517e22 · 5517e22
1 parent 14f9df4
commit 5517e22
Show file tree

Hide file tree

Showing 8 changed files with 23 additions and 6 deletions.
diff --git a/src/gerb_file.c b/src/gerb_file.c
@@ -131,6 +131,9 @@ gerb_fopen(char const * filename)
 
 #endif
 
+    dprintf("     Setting filename\n");
+    fd->filename = g_strdup(filename);
+
     dprintf("<--- Leaving gerb_fopen\n");
     return fd;
 } /* gerb_fopen */
@@ -238,6 +241,8 @@ void
 gerb_fclose(gerb_file_t *fd)
 {
     if (fd) {
+        g_free(fd->filename);
+
 #ifdef HAVE_SYS_MMAN_H
 	if (munmap(fd->data, fd->datalen) < 0)
 	    GERB_FATAL_ERROR("munmap: %s", strerror(errno));

diff --git a/src/gerber.c b/src/gerber.c
@@ -1476,7 +1476,7 @@ parse_rs274x(gint levelOfRecursion, gerb_file_t *fd, gerbv_image_t *image,
 				"include file recursion which is not allowed "
 				"by the RS-274X spec"));
 		}
-
+		g_free (includeFilename);
 	    }
 	}
 	break;

diff --git a/src/gerbv.c b/src/gerbv.c
@@ -507,9 +507,6 @@ gerbv_open_image(gerbv_project_t *gerbvProject, gchar const* filename, int idx,
 	return -1;
     }
 
-    /* Store filename info fd for further use */
-    fd->filename = g_strdup(filename);
-
     dprintf("In open_image, successfully opened file.  Now check its type....\n");
     /* Here's where we decide what file type we have */
     /* Note: if the file has some invalid characters in it but still appears to
@@ -578,7 +575,6 @@ gerbv_open_image(gerbv_project_t *gerbvProject, gchar const* filename, int idx,
 	parsed_image = NULL;
     }
 
-    g_free(fd->filename);
     gerb_fclose(fd);
     if (parsed_image == NULL) {
 	return -1;

diff --git a/test/golden/parse_aperture_strtok.png b/test/golden/parse_aperture_strtok.png
diff --git a/test/inputs/parse_aperture_strtok.1.poc b/test/inputs/parse_aperture_strtok.1.poc
@@ -0,0 +1,11 @@
+%FSLAX25Y25*%
+%MOIN*%
+
+%ADD20C,BBBB*%
+
+%IFparse_aperture_strtok.2.poc*%
+
+D21*
+X400000Y400000D03*
+
+M02*
diff --git a/test/inputs/parse_aperture_strtok.2.poc b/test/inputs/parse_aperture_strtok.2.poc
@@ -0,0 +1,2 @@
+M09*
+
diff --git a/test/run_valgrind_tests.sh b/test/run_valgrind_tests.sh
@@ -2,4 +2,5 @@
 ./run_tests.sh --valgrind \
                example_cslk \
                out-of-bounds-drill-tool \
-               example_am_test
+               example_am_test \
+               parse_aperture_strtok
diff --git a/test/tests.list b/test/tests.list
@@ -182,6 +182,8 @@ test-circular-interpolation-zero-error  |  test-circular-interpolation-zero-erro
 test-merge-a+b_temporary | test-merge-a.gbx test-merge-b.gbx | ! --export=rs274x --output=inputs/test-merge-a+b_temporary.gbx
 test-merge-a+b | test-merge-a+b_temporary.gbx
 
+parse_aperture_strtok | parse_aperture_strtok.1.poc
+
 # ---------------------------------------------
 # Excellon drill tests
 # ---------------------------------------------