Menu

#1230 Bug in icon.cpp, uninitialized heap data can make it into generated setup.exe

3.0 Series
closed
nobody
5
2019-07-31
2019-07-27
No

This bug is in the code that writes out the icon resoure data.

Specifically in this code: https://sourceforge.net/p/nsis/code/HEAD/tree/NSIS/trunk/Source/icon.cpp#l273

The data allocates an array that is the greater of two sizes -- the number of icons in the uninstaller and/or the number of icons in the setup. That's the .order.size().

But later on, only data from the actual icons array is written (icon.size()), with the remainder of the buffer containing potentially uninitialized heap data.

This bug can only be triggered If the number of layers in the uninstaller and installer icon files differ.

We encountered this in our software .. issue here: https://github.com/spesmilo/electrum/commit/570c0aeca39e56c742b77380ec274d178d660c29

Suggested fix: Call ZeroMemory() on that returned group array before using it.

Discussion

  • Anders

    Anders - 2019-07-31
    • labels: bug --> reproducible builds
     
  • Anders

    Anders - 2019-07-31
    • status: open --> closed
     
  • Calin Culianu

    Calin Culianu - 2019-07-31

    Thanks for fixing! Hurray for reproducible builds!

     

Log in to post a comment.