Ubuntu
puredata package

puredata: tabwrite~ malfunction on x86_64

Bug #134696 reported by holgi
6
Affects Status Importance Assigned to Milestone
puredata (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Binary package hint: puredata

When writing to an array in puredata on x86_64, the values are not written continuously to the array, but the blocks are somewhat disparate: Values 0-63 are written correctly, then there is a gap at offsets 64-127, then the data which would belong there is written to offsets 128-191 instead, again a gap from 192-255 etc. Looks like a problem in determining the offset into the array for a particular block on 64bit.

IMHO this is a possible security hole, because values will be written beyond the array if no additional checking is performed.

Revision history for this message
holgi (holger-tasch) wrote :

I will supply two attachments: pd.should.png shows a very simple pd patch, how it should look (and how it looks on 32 Bit).

Revision history for this message
holgi (holger-tasch) wrote :

pd.is.png shows the same patch on 64-Bit Ubuntu. The bottom graph demonstrates quite clearly, that the values which should lie between 64 and 127 are really being written to 128 - 191. This is why I suspect that the values that belong there may be written beyond the array.

Revision history for this message
holgi (holger-tasch) wrote :

Remark: Version 0.41 Test 06 (http://crca.ucsd.edu/~msp/Software/pd-0.41-0test06.src.tar.gz) seems to have the problem fixed, but 0.40-3 (http://crca.ucsd.edu/~msp/Software/pd-0.40-3.src.tar.gz) marked as stable not yet.

Revision history for this message
Kees Cook (kees) wrote :

Thanks for this report! I've unmarked this a security issue for the moment since the data it processes is user-provided. If there are other vectors where a third party could inject things into memory, that would be another situation. Also, without looking closely, since the bug doesn't cause a crash, it is less likely that it impacts areas of memory that are security-sensitive.

Revision history for this message
kubriel (kubriel) wrote :

also problem here with Pd version 0.40-2 on amd x64

Daniel T Chen (crimsun)
Changed in puredata:
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.