Scarfski/bullet3
1
0
Fork 0
mirror of https://github.com/bulletphysics/bullet3.git synced 2026-06-14 03:09:18 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix stack overflow in parsing URDF files in Bullet

Browse Source 
When reading response from the Bullet server after a "load URDF" command, the client code allocated and zeroed buffers for the data chunks with a "+1" to account for the terminating zero. This was when the buffer pointer was interpreted as a `char *`, so it meant "+ 1 byte".

When reading those buffers, however, the associated pointer was a `void *`, so reading `sizeof(void*)` (8 on my machine) bytes at a time. Therefore it was reading up to 7 bytes past the allocated (and zeroed) memory.

The change fixes that by changing the "+ 1" to "+ sizeof(void*)". At one place it also extends the zeroing to the final buffer position (missing "+ 1" in the original).
This commit is contained in:
vabr-g
2021-03-02 11:55:19 +01:00
committed by GitHub
parent abea1a8484
commit 390eeb111b
1 changed files with 6 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
Extras/Serialize/BulletFileLoader/bFile.cpp
View File

@@ -643,8 +643,8 @@ char *bFile::readStruct(char *head, bChunkInd &dataChunk)
if ((strcmp(oldType, "btShortIntIndexData") == 0))
{
int allocLen = 2;
char *dataAlloc = new char[(dataChunk.nr * allocLen) + 1];
memset(dataAlloc, 0, (dataChunk.nr * allocLen) + 1);
char *dataAlloc = new char[(dataChunk.nr * allocLen) + sizeof(void*)];
memset(dataAlloc, 0, (dataChunk.nr * allocLen) + sizeof(void*));
short *dest = (short *)dataAlloc;
const short *src = (short *)head;
for (int i = 0; i < dataChunk.nr; i++)
@@ -682,8 +682,8 @@ char *bFile::readStruct(char *head, bChunkInd &dataChunk)
// numBlocks * length
int allocLen = (curLen);
char *dataAlloc = new char[(dataChunk.nr * allocLen) + 1];
memset(dataAlloc, 0, (dataChunk.nr * allocLen));
char *dataAlloc = new char[(dataChunk.nr * allocLen) + sizeof(void*)];
memset(dataAlloc, 0, (dataChunk.nr * allocLen) + sizeof(void*));
// track allocated
addDataBlock(dataAlloc);
@@ -719,8 +719,8 @@ char *bFile::readStruct(char *head, bChunkInd &dataChunk)
#endif //
}
char *dataAlloc = new char[(dataChunk.len) + 1];
memset(dataAlloc, 0, dataChunk.len + 1);
char *dataAlloc = new char[(dataChunk.len) + sizeof(void*)];
memset(dataAlloc, 0, dataChunk.len + sizeof(void*));
// track allocated
addDataBlock(dataAlloc);