Geis

Buffer overflow in _grail_be_extract_gesture_attrs

Bug #1687228 reported by Christoph
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Geis
Confirmed
Undecided
Unassigned

Bug Description

I observed segfaults occurring seemingly at random in libgeis.

I found that the function _grail_be_extract_gesture_attrs in libgeis/backend/grail/geis_grail_backend.c reads a cumulative transformation matrix from grail, which is a 3x3 matrix (9 floats). Immediately after this, it calls geis_frame_set_matrix passing this matrix, but geis_frame_set_matrix expects a 4x4 matrix and copies 16 floats.

This mismatch creates a buffer overflow which usually goes unnoticed, but sometimes raises SIGSEGV. The error shows up reliably every time when you compile libgeis with gcc's address sanitizer.

I attached a small patch that fixes the problem for me by converting the matrix to 4x4 before passing it to geis_frame_set_matrix. But I was unable to make 100% sure that I got the conversion right and that I did not accidentally transpose the matrix. I would be happy if someone could look over this patch.

Revision history for this message
Christoph (f-ubuntuone-6) wrote :
Stephen M. Webb (bregma)
Changed in geis:
status: New → Confirmed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.