Bug 25679 - Memory leak and buffer overflow in get_gsharedvt_type()
Summary: Memory leak and buffer overflow in get_gsharedvt_type()
Alias: None
Product: iOS
Classification: Xamarin
Component: XI runtime (show other bugs)
Version: master
Hardware: PC Windows
: --- normal
Target Milestone: Untriaged
Assignee: Zoltan Varga
Depends on:
Reported: 2015-01-01 19:11 UTC by Maks
Modified: 2015-01-02 18:01 UTC (History)
2 users (show)

See Also:
Is this bug a regression?: ---
Last known good build:


Description Maks 2015-01-01 19:11:55 UTC
static MonoType*
get_gsharedvt_type (MonoType *t)
1:	MonoGenericParam *par = t->data.generic_param;
1:	MonoGenericParam *copy;
	MonoType *res;
	if (par->owner) {

2:		copy = mono_image_alloc0 (image, sizeof (MonoGenericParamFull));
3:		memcpy (copy, par, sizeof (MonoGenericParamFull));
	} else {
2:		copy = g_memdup (par, sizeof (MonoGenericParamFull));
1. t->data.generic_param, par, copy - are "MonoGenericParam" not "MonoGenericParamFull"
struct _MonoGenericParam {
	MonoGenericContainer *owner;
	guint16 num;
	guint16 serial;
	MonoImage *image;
sizeof(MonoGenericParam) = 12bytes (32bit build)

typedef struct {
	MonoGenericParam param;
	MonoGenericParamInfo info;
} MonoGenericParamFull;
sizeof(MonoGenericParamFull) = 32bytes (32bit build)

2. when mono_image_alloc0() or g_memdup() is called it allocates memory equal to "sizeof(MonoGenericParamFull) = 32bytes".
During the release resources of "MonoType *res" memory will be freed only by the number of bytes equal to sizeof(MonoGenericParam) = 12bytes. Memleak.

3. Buffer overflow. memcpy will copy the bytes beyond(32-12=20bytes) "MonoGenericParam *par" to "MonoGenericParam *copy"(20bytes overflow)
Comment 1 Maks 2015-01-02 05:14:51 UTC
PR: https://github.com/mono/mono/pull/1487
Comment 2 Zoltan Varga 2015-01-02 18:01:09 UTC
Fixed in 102f316ae2db2cb242183d8ffb7b8b2793bbda98. generic_param is a MooGenericParamFull structure in most cases.

Note You need to log in before you can comment on or make changes to this bug.