Buffer overflow in SerializeLibraryState() found by Address Sanitizer

On 10 Jun 2025, at 14:59, David Geier <geidav.pg@gmail.com> wrote:

Hi hackers!

SerializeLibraryState() writes 1 byte too much into the buffer pointed to by start_address. This is the very last '\0' it writes after the loop. Attached is a patch that fixes the problem by accounting for that extra byte in EstimateLibraryStateSpace()

The last '\0' written isn't performed in relation to the size, but at a fixed
index in the buffer:

...
}
start_address[0] = '\0';

How would that cause a buffer overflow?

--
Daniel Gustafsson

The loop advances the pointer via start_address += len.

--
David Geier
(ServiceNow

On 6/10/2025 3:06 PM, Daniel Gustafsson wrote:

On 10 Jun 2025, at 14:59, David Geier <geidav.pg@gmail.com> wrote:

Hi hackers!

SerializeLibraryState() writes 1 byte too much into the buffer pointed to by start_address. This is the very last '\0' it writes after the loop. Attached is a patch that fixes the problem by accounting for that extra byte in EstimateLibraryStateSpace()

The last '\0' written isn't performed in relation to the size, but at a fixed
index in the buffer:

...
}
start_address[0] = '\0';

How would that cause a buffer overflow?

--
Daniel Gustafsson

--
David Geier
(ServiceNow)

But just seeing now that size in EstimateLibraryState() is initialized
to 1. So that total size should actually be fine. Weird that the patch
makes the sanitizer error disappear.

On 6/10/2025 4:21 PM, David Geier wrote:

The loop advances the pointer via start_address += len.

--
David Geier
(ServiceNow)