[ioquake3] 08/39: Add patches fixing array underflows diagnosed by gcc 6

Simon McVittie smcv at debian.org
Sat Nov 5 20:26:22 UTC 2016 

This is an automated email from the git hooks/post-receive script.

smcv pushed a commit to branch debian/master
in repository ioquake3.

commit d4fe203c8c7ad2b7aa4fdb51fed9837b527cb6cb
Author: Simon McVittie <smcv at debian.org>
Date:   Sun Sep 25 17:18:47 2016 +0100

    Add patches fixing array underflows diagnosed by gcc 6
    
    I don't think these are security-sensitive.
---
 debian/changelog                                   | 10 ++++
 ...BuildFindPlayerList-avoid-array-underflow.patch | 41 +++++++++++++
 ...erList-make-a-sizeof-more-obviously-corre.patch | 27 +++++++++
 debian/patches/series                              |  3 +
 ...void-undefined-pointer-below-array-bounds.patch | 67 ++++++++++++++++++++++
 5 files changed, 148 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index adede0c..2f209f4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+ioquake3 (1.36+u20160914+dfsg1-2) UNRELEASED; urgency=medium
+
+  * d/p/UI_BuildFindPlayerList-avoid-array-underflow.patch,
+    d/p/UI_BuildFindPlayerList-make-a-sizeof-more-obviously-corre.patch,
+    d/p/snd_wavelet-avoid-undefined-pointer-below-array-bounds.patch:
+    add patches fixing (probably non-security-sensitive) array underflows
+    diagnosed by gcc 6
+
+ -- Simon McVittie <smcv at debian.org>  Sun, 25 Sep 2016 17:17:30 +0100
+
 ioquake3 (1.36+u20160914+dfsg1-1) unstable; urgency=medium
 
   * New upstream snapshot
diff --git a/debian/patches/UI_BuildFindPlayerList-avoid-array-underflow.patch b/debian/patches/UI_BuildFindPlayerList-avoid-array-underflow.patch
new file mode 100644
index 0000000..a68618c
--- /dev/null
+++ b/debian/patches/UI_BuildFindPlayerList-avoid-array-underflow.patch
@@ -0,0 +1,41 @@
+From: Simon McVittie <smcv at debian.org>
+Date: Sun, 25 Sep 2016 16:57:52 +0100
+Subject: UI_BuildFindPlayerList: avoid array underflow
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+This function is used in the Team Arena menus
+
+I don't think it's actually possible to reach this line with
+foundPlayerServerNames < 1, because by the time we get here we have
+set it to 1 + the actual number of servers; but if we did, it would
+clearly underflow into foundPlayerServerNames[-1], which would be
+undefined behaviour. gcc 6 diagnoses this with a warning:
+
+code/ui/ui_main.c: In function ‘UI_BuildFindPlayerList’:
+code/ui/ui_main.c:4138:16: warning: array subscript is below array bounds [-Warray-bounds]
+
+Also correct the sizeof() invocation to make it more obviously
+correct (in fact the buffers for names and addresses happen to both
+be of size MAX_ADDRESSLENGTH, so it was fine, but it's good to be
+obvious).
+
+Forwarded: https://github.com/ioquake/ioq3/pull/226
+---
+ code/ui/ui_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/code/ui/ui_main.c b/code/ui/ui_main.c
+index a1539f3..044c00f 100644
+--- a/code/ui/ui_main.c
++++ b/code/ui/ui_main.c
+@@ -4135,7 +4135,7 @@ static void UI_BuildFindPlayerList(qboolean force) {
+ 	else {
+ 		// add a line that shows the number of servers found
+ 		if (!uiInfo.numFoundPlayerServers) {
+-			Com_sprintf(uiInfo.foundPlayerServerNames[uiInfo.numFoundPlayerServers-1], sizeof(uiInfo.foundPlayerServerAddresses[0]), "no servers found");
++			Com_sprintf(uiInfo.foundPlayerServerNames[0], sizeof(uiInfo.foundPlayerServerNames[0]), "no servers found");
+ 		}
+ 		else {
+ 			Com_sprintf(uiInfo.foundPlayerServerNames[uiInfo.numFoundPlayerServers-1], sizeof(uiInfo.foundPlayerServerAddresses[0]),
diff --git a/debian/patches/UI_BuildFindPlayerList-make-a-sizeof-more-obviously-corre.patch b/debian/patches/UI_BuildFindPlayerList-make-a-sizeof-more-obviously-corre.patch
new file mode 100644
index 0000000..6117ef7
--- /dev/null
+++ b/debian/patches/UI_BuildFindPlayerList-make-a-sizeof-more-obviously-corre.patch
@@ -0,0 +1,27 @@
+From: Simon McVittie <smcv at debian.org>
+Date: Sun, 25 Sep 2016 16:59:12 +0100
+Subject: UI_BuildFindPlayerList: make a sizeof() more obviously correct
+
+As with the other branch of the if/else, each element of
+foundPlayerServerNames is in fact the same size as each element of
+foundPlayerServerAddresses, so it was fine; but it's better to make
+it obvious that we are using the right array sizes.
+
+Forwarded: https://github.com/ioquake/ioq3/pull/226
+---
+ code/ui/ui_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/code/ui/ui_main.c b/code/ui/ui_main.c
+index 044c00f..e9e36ea 100644
+--- a/code/ui/ui_main.c
++++ b/code/ui/ui_main.c
+@@ -4138,7 +4138,7 @@ static void UI_BuildFindPlayerList(qboolean force) {
+ 			Com_sprintf(uiInfo.foundPlayerServerNames[0], sizeof(uiInfo.foundPlayerServerNames[0]), "no servers found");
+ 		}
+ 		else {
+-			Com_sprintf(uiInfo.foundPlayerServerNames[uiInfo.numFoundPlayerServers-1], sizeof(uiInfo.foundPlayerServerAddresses[0]),
++			Com_sprintf(uiInfo.foundPlayerServerNames[uiInfo.numFoundPlayerServers-1], sizeof(uiInfo.foundPlayerServerNames[0]),
+ 						"%d server%s found with player %s", uiInfo.numFoundPlayerServers-1,
+ 						uiInfo.numFoundPlayerServers == 2 ? "":"s", uiInfo.findPlayerName);
+ 		}
diff --git a/debian/patches/series b/debian/patches/series
index c5b7b81..ec1739a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,6 +1,9 @@
 Pick-up-date-from-SOURCE_DATE_EPOCH-for-reproducible-buil.patch
 Introduce-NOTSHLIBLDFLAGS-used-to-link-executables-only.patch
 Fix-mis-spellings-of-separating-as-seperating.patch
+snd_wavelet-avoid-undefined-pointer-below-array-bounds.patch
+UI_BuildFindPlayerList-avoid-array-underflow.patch
+UI_BuildFindPlayerList-make-a-sizeof-more-obviously-corre.patch
 debian/Add-sv_dorestart-which-can-be-set-by-game-code-to-re.patch
 debian/Let-servers-set-sv_fps-too.patch
 debian/Add-a-special-vmMagic-that-causes-equivalent-native-.patch
diff --git a/debian/patches/snd_wavelet-avoid-undefined-pointer-below-array-bounds.patch b/debian/patches/snd_wavelet-avoid-undefined-pointer-below-array-bounds.patch
new file mode 100644
index 0000000..a98e2b5
--- /dev/null
+++ b/debian/patches/snd_wavelet-avoid-undefined-pointer-below-array-bounds.patch
@@ -0,0 +1,67 @@
+From: Simon McVittie <smcv at debian.org>
+Date: Sun, 25 Sep 2016 16:43:54 +0100
+Subject: snd_wavelet: avoid undefined pointer below array bounds
+
+Given an array b[] of length n, pointers to &b[0]..&b[n] are defined
+(where only &b[0]..&b[n-1] can be validly dereferenced). &b[-1], or
+equivalently b-1, is not something we can use in valid Standard C.
+
+gcc 6 diagnoses this as:
+
+code/client/snd_wavelet.c:33:9: warning: array subscript is below array bounds [-Warray-bounds]
+
+and might take this undefined behaviour as permission to emit
+"more efficient" object code that is not what the author expected,
+for example nothing at all. Use a macro to fake a 1-based array instead.
+
+Forwarded: https://github.com/ioquake/ioq3/pull/226
+---
+ code/client/snd_wavelet.c | 21 +++++++++++----------
+ 1 file changed, 11 insertions(+), 10 deletions(-)
+
+diff --git a/code/client/snd_wavelet.c b/code/client/snd_wavelet.c
+index 3d8f5c7..e051da2 100644
+--- a/code/client/snd_wavelet.c
++++ b/code/client/snd_wavelet.c
+@@ -30,7 +30,7 @@ Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+ void daub4(float b[], unsigned long n, int isign)
+ {
+ 	float wksp[4097] = { 0.0f };
+-	float	*a=b-1;						// numerical recipies so a[1] = b[0]
++#define a(x) b[(x)-1]					// numerical recipies so a[1] = b[0]
+ 
+ 	unsigned long nh,nh1,i,j;
+ 
+@@ -39,22 +39,23 @@ void daub4(float b[], unsigned long n, int isign)
+ 	nh1=(nh=n >> 1)+1;
+ 	if (isign >= 0) {
+ 		for (i=1,j=1;j<=n-3;j+=2,i++) {
+-			wksp[i]	   = C0*a[j]+C1*a[j+1]+C2*a[j+2]+C3*a[j+3];
+-			wksp[i+nh] = C3*a[j]-C2*a[j+1]+C1*a[j+2]-C0*a[j+3];
++			wksp[i]	   = C0*a(j)+C1*a(j+1)+C2*a(j+2)+C3*a(j+3);
++			wksp[i+nh] = C3*a(j)-C2*a(j+1)+C1*a(j+2)-C0*a(j+3);
+ 		}
+-		wksp[i   ] = C0*a[n-1]+C1*a[n]+C2*a[1]+C3*a[2];
+-		wksp[i+nh] = C3*a[n-1]-C2*a[n]+C1*a[1]-C0*a[2];
++		wksp[i   ] = C0*a(n-1)+C1*a(n)+C2*a(1)+C3*a(2);
++		wksp[i+nh] = C3*a(n-1)-C2*a(n)+C1*a(1)-C0*a(2);
+ 	} else {
+-		wksp[1] = C2*a[nh]+C1*a[n]+C0*a[1]+C3*a[nh1];
+-		wksp[2] = C3*a[nh]-C0*a[n]+C1*a[1]-C2*a[nh1];
++		wksp[1] = C2*a(nh)+C1*a(n)+C0*a(1)+C3*a(nh1);
++		wksp[2] = C3*a(nh)-C0*a(n)+C1*a(1)-C2*a(nh1);
+ 		for (i=1,j=3;i<nh;i++) {
+-			wksp[j++] = C2*a[i]+C1*a[i+nh]+C0*a[i+1]+C3*a[i+nh1];
+-			wksp[j++] = C3*a[i]-C0*a[i+nh]+C1*a[i+1]-C2*a[i+nh1];
++			wksp[j++] = C2*a(i)+C1*a(i+nh)+C0*a(i+1)+C3*a(i+nh1);
++			wksp[j++] = C3*a(i)-C0*a(i+nh)+C1*a(i+1)-C2*a(i+nh1);
+ 		}
+ 	}
+ 	for (i=1;i<=n;i++) {
+-		a[i]=wksp[i];
++		a(i)=wksp[i];
+ 	}
++#undef a
+ }
+ 
+ void wt1(float a[], unsigned long n, int isign)

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-games/ioquake3.git

More information about the Pkg-games-commits mailing list