puredata: tabwrite~ malfunction on x86_64

Bug #134696 reported by holgi on 2007-08-25
6
Affects Status Importance Assigned to Milestone
puredata (Ubuntu)
Undecided
Unassigned

Bug Description

Binary package hint: puredata

When writing to an array in puredata on x86_64, the values are not written continuously to the array, but the blocks are somewhat disparate: Values 0-63 are written correctly, then there is a gap at offsets 64-127, then the data which would belong there is written to offsets 128-191 instead, again a gap from 192-255 etc. Looks like a problem in determining the offset into the array for a particular block on 64bit.

IMHO this is a possible security hole, because values will be written beyond the array if no additional checking is performed.

holgi (holger-tasch) wrote :

I will supply two attachments: pd.should.png shows a very simple pd patch, how it should look (and how it looks on 32 Bit).

holgi (holger-tasch) wrote :

pd.is.png shows the same patch on 64-Bit Ubuntu. The bottom graph demonstrates quite clearly, that the values which should lie between 64 and 127 are really being written to 128 - 191. This is why I suspect that the values that belong there may be written beyond the array.

holgi (holger-tasch) wrote :

Remark: Version 0.41 Test 06 (http://crca.ucsd.edu/~msp/Software/pd-0.41-0test06.src.tar.gz) seems to have the problem fixed, but 0.40-3 (http://crca.ucsd.edu/~msp/Software/pd-0.40-3.src.tar.gz) marked as stable not yet.

Kees Cook (kees) wrote :

Thanks for this report! I've unmarked this a security issue for the moment since the data it processes is user-provided. If there are other vectors where a third party could inject things into memory, that would be another situation. Also, without looking closely, since the bug doesn't cause a crash, it is less likely that it impacts areas of memory that are security-sensitive.

kubriel (kubriel) wrote :

also problem here with Pd version 0.40-2 on amd x64

Daniel T Chen (crimsun) on 2008-10-19
Changed in puredata:
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers