| Summary: | Invalid memory access in wc_to_utf8() | ||
|---|---|---|---|
| Product: | libserialport | Reporter: | Martin Jackson <jacksonmj.mail> |
| Component: | Port enumeration | Assignee: | Nobody <nobody> |
| Status: | RESOLVED FIXED | ||
| Severity: | critical | CC: | martin-sigrokbugs, ploufus, uwe |
| Priority: | High | ||
| Version: | unreleased development snapshot | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Windows | ||
| Attachments: | Suggested fix | ||
There is a commit pending in this pull request: https://github.com/martinling/libserialport/pull/23 which replaces the whole code of this function, and may be a better fix. Merged the patch with a commit message and faked author etc. in 38b71192dd70336eba219994b0a4219a48e4cbe1, thanks a lot! I've been able to reproduce this with an MCP2221, and I can also confirm that it also fixes a few seemingly unrelated bugs like #1370. The other stuff from https://github.com/martinling/libserialport/pull/23 seems to still be WIP, so I think it's better getting this specific fix merged to avoid the crashes, further patches can easily be added on top. |
Created attachment 329 [details] Suggested fix In wc_to_utf8() in windows.c, the zero terminator is written to an invalid array index, which results in 2 bytes being zeroed in a random place in the stack. This sometimes causes a crash when running sp_list_ports() (depending on string length and compiler optimisation settings). sizeof(wc_str) returns the size in bytes, so cannot be used directly as an index into that array, it should be divided by sizeof(WCHAR). Otherwise the zero terminator index is approximately twice what it should be.