Possible buffer overflow
While investingating another bug under address sanitizer, I found a possible buffer overflow:
1- Download [this|http://tabs.ultimate-guitar.com/q/queen/my_fairy_king_guitar_pro.htm] file (gray button "Donwload Guitar Pro Tab", file queen_my_fairy_king.gp3)
2- Open the file.
When the file is loaded, at a certain point, at line 166 of libmscore/clef.cppif (ClefInfo::staffGroup(clefType()) != TAB_STAFF_GROUP)
the clefType() is ClefType::INVALID.
This cleftype is not present in the clefTable defined in lines 34-57 of libmscore/clef.cpp, causing a buffer overflow inside function ClefInfo::staffGroup(clefType()) [clefType() is ClefType::INVALID] and therefore address sanitizer induces a crash.
Attached address sanitizer log.
Linux Mint 13, commit 2bf563b
| Attachment | Size |
|---|---|
| cleftable_invalid.txt | 4.57 KB |
Comments
Fixed link: this
It now (since roughly two weeks) happens also with any file, even a new file from the wizard.
That's why I wrote a pull request.
As mentioned before, at some point a ClefType::INVALID is the result of clefType() (even for new file, now), but then ClefInfo::staffGroup(clefType()) is causing an overflow because staffGroup is not defined for ClefType::INVALID, which is not present in the ClefType table.
There is not an actual crash in real application but staffGroup for ClefType::INVALID is undefined behavior.
What pull request?
https://github.com/musescore/MuseScore/pull/961
Lasconic closed it yesterday.
Strange, in https://github.com/musescore/MuseScore/blob/master/libmscore/clef.cpp#L… and https://github.com/musescore/MuseScore/blob/master/libmscore/clef.cpp#L… there seems to be an unresolved merge conflict, introduced with 6b59bf1f1e3d
I can't reproduce anymore. Closing this.