From 0f8b4c4ca03e7d39675901f117f5d79a5daeeeae Mon Sep 17 00:00:00 2001 From: Hauke Mehrtens Date: Wed, 26 Aug 2015 15:36:58 +0200 Subject: [PATCH] OCRepresentation: fix segmentation fault by initializing memory dimensions was not fully initialized, but used by the code, so it could contain arbitrary memory. If this memory was a big number this code could allocate very much memory as this was used to create a 2 or 3 dimensional arrays. This fixes a Segmentation fault seen in normal operation of the garageserver and a invalid memory read and a following segmentation fault seen with valgrind in the garageserver Change-Id: Ifbab3d48b00bd2e3559ca3a8d79336ecf5feef6e Signed-off-by: Hauke Mehrtens Reviewed-on: https://gerrit.iotivity.org/gerrit/2285 Tested-by: jenkins-iotivity Reviewed-by: Jon A. Cruz --- resource/src/OCRepresentation.cpp | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/resource/src/OCRepresentation.cpp b/resource/src/OCRepresentation.cpp index f61edb3..70d699e 100644 --- a/resource/src/OCRepresentation.cpp +++ b/resource/src/OCRepresentation.cpp @@ -181,6 +181,8 @@ namespace OC { root_size_calc(); dimensions[0] = arr.size(); + dimensions[1] = 0; + dimensions[2] = 0; dimTotal = calcDimTotal(dimensions); array = (void*)OICMalloc(dimTotal * root_size); @@ -196,6 +198,8 @@ namespace OC { root_size_calc(); dimensions[0] = arr.size(); + dimensions[1] = 0; + dimensions[2] = 0; for(size_t i = 0; i < arr.size(); ++i) { dimensions[1] = std::max(dimensions[1], arr[i].size()); @@ -216,6 +220,8 @@ namespace OC { root_size_calc(); dimensions[0] = arr.size(); + dimensions[1] = 0; + dimensions[2] = 0; for(size_t i = 0; i < arr.size(); ++i) { dimensions[1] = std::max(dimensions[1], arr[i].size()); -- 2.7.4