Buffer overflow in ImGui::Combo() #298

tpoechtrager · 2015-08-13T17:24:39Z

ImGui::Combo("Test type", &test_type, "Single call to TextUnformatted()\0Multiple calls to Text(), clipped manually\0Multiple calls to Text(), not clipped");

in imgui_demo.cpp should be (some other calls look buggy too):

ImGui::Combo("Test type", &test_type, "Single call to TextUnformatted()\0Multiple calls to Text(), clipped manually\0Multiple calls to Text(), not clipped\0");

You should really consider a more safe separator, like \003 aka ETX.

ASan report:

================================================================
==28942==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000005d5f32 at pc 0x00000055564b bp 0x7fffbbc10d70 sp 0x7fffbbc10d68
READ of size 1 at 0x0000005d5f32 thread T0
    #0 0x55564a in ImGui::Combo(char const*, int*, char const*, int) /home/thomas/tmp/imgui/examples/opengl_example/../../imgui.cpp:7580:12
    #1 0x5714a9 in ShowExampleAppLongText(bool*) /home/thomas/tmp/imgui/examples/opengl_example/../../imgui_demo.cpp:2002:5
    #2 0x5714a9 in ImGui::ShowTestWindow(bool*) /home/thomas/tmp/imgui/examples/opengl_example/../../imgui_demo.cpp:103
    #3 0x4d0683 in main /home/thomas/tmp/imgui/examples/opengl_example/main.cpp:76:13
    #4 0x7f1851bf060f in __libc_start_main (/usr/lib/libc.so.6+0x2060f)
    #5 0x418f18 in _start (/data/data/tmp/imgui/examples/opengl_example/imgui_example+0x418f18)

0x0000005d5f32 is located 46 bytes to the left of global variable '<string literal>' defined in '../../imgui_demo.cpp:2003:17' (0x5d5f60) of size 36
  '<string literal>' is ascii string 'Buffer contents: %d lines, %d bytes'
0x0000005d5f32 is located 0 bytes to the right of global variable '<string literal>' defined in '../../imgui_demo.cpp:2002:43' (0x5d5ec0) of size 114
SUMMARY: AddressSanitizer: global-buffer-overflow /home/thomas/tmp/imgui/examples/opengl_example/../../imgui.cpp:7580:12 in ImGui::Combo(char const*, int*, char const*, int)
Shadow bytes around the buggy address:
  0x0000800b2b90: 00 02 f9 f9 f9 f9 f9 f9 00 05 f9 f9 f9 f9 f9 f9
  0x0000800b2ba0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05
  0x0000800b2bb0: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 03
  0x0000800b2bc0: f9 f9 f9 f9 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9
  0x0000800b2bd0: 00 02 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
=>0x0000800b2be0: 00 00 00 00 00 00[02]f9 f9 f9 f9 f9 00 00 00 00
  0x0000800b2bf0: 04 f9 f9 f9 f9 f9 f9 f9 00 07 f9 f9 f9 f9 f9 f9
  0x0000800b2c00: 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
  0x0000800b2c10: f9 f9 f9 f9 00 00 00 00 00 00 00 03 f9 f9 f9 f9
  0x0000800b2c20: 00 00 00 00 00 00 00 07 f9 f9 f9 f9 00 00 00 00
  0x0000800b2c30: 00 00 00 01 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==28942==ABORTING

The text was updated successfully, but these errors were encountered:

ocornut · 2015-08-13T17:57:38Z

Thanks, fixed.

The separator can't really be changed anymore unfortunately. I'll add that idea to my "severe breakage to consider for 2.0" list. Furthermore the semantic meaning of 003/ETX is arcane ascii knowledge and for most people it would feel particularly random/arbitrary. Whereas \0 even if arbitrary is easy to remember.

Includes my merged PRs and everything in my dev branch. Haven't tested with it yet. Changelog: Test case for clip rect HACK: more recent Windows SDK and VS2017; disable graph Set size to amount of space required Merge pull request ocornut#349 from maksw2/master Merge pull request ocornut#347 from mgerhardy/341 Merge pull request ocornut#348 from mgerhardy/fixed-warning Merge pull request ocornut#346 from mgerhardy/280 Merge pull request ocornut#345 from mgerhardy/322 Merge pull request ocornut#344 from rherilier/fix-gcc-warnings Merge pull request ocornut#336 from rherilier/add-isusingviewmanipulate Merge pull request ocornut#335 from RedSkittleFox/alternative_window Merge pull request ocornut#334 from ocornut/fix-beginchildframe dear imgui update and small fixes Merge pull request ocornut#316 from Batres3/2DSupport Merge pull request ocornut#326 from Sayama3/use-push-pop-id Merge pull request ocornut#328 from georgeto/master Merge pull request ocornut#330 from maritim/master Merge pull request ocornut#331 from GiovanyH/patch-1 Merge pull request ocornut#318 from dougbinks/imgui_math_operators Merge pull request ocornut#312 from kimidaisuki22/master div 0 fixed Merge pull request ocornut#301 from ZingBallyhoo/using-any Merge pull request ocornut#300 from Clog41200/Configurable-limits Merge pull request ocornut#298 from xDUDSSx/fix/rotation_circles Merge pull request ocornut#297 from xDUDSSx/fix/vertical-aspect-scaling Merge pull request ocornut#289 from ComputationalBiomechanicsLab/fix_isusing-ignores-setid Merge pull request ocornut#291 from ocornut/fix_math_operators_include Merge pull request ocornut#282 from MohitSethi99/master Merge pull request ocornut#276 from pthom/virtual_destructors Merge pull request ocornut#271 from idbrii/clip-parent Merge pull request ocornut#270 from idbrii/btn-behaviour Merge pull request ocornut#265 from mgerhardy/pr/fix-minor-formatting Merge pull request ocornut#264 from mgerhardy/pr/div0 Merge pull request ocornut#269 from peter1745/hatched-line-thickness-enhancement Merge pull request ocornut#259 from miyanyan/master Merge branch 'master' of https://github.com/CedricGuillemet/ImGuizmo update dear imgui Merge pull request ocornut#256 from Aidiakapi/patch-1 Merge pull request ocornut#252 from aaronkirkham/master Merge pull request ocornut#249 from rokups/rk/mouse-capture Merge pull request ocornut#246 from mgerhardy/pr/viewmanipulate removed commented code fix click view cube Merge pull request ocornut#231 from mgerhardy/master Merge pull request ocornut#230 from mgerhardy/master Merge pull request ocornut#228 from longod/master Merge pull request ocornut#227 from madeso/master AddBezierCubic Merge pull request ocornut#226 from sherief/master revert culling test commit Merge pull request ocornut#203 from rokups/rk/misc-fixes Merge pull request ocornut#212 from zhaijialong/fix-behind-camera-cull Merge pull request ocornut#209 from VictorFouquet/fix_normalize scale is always local Merge pull request ocornut#202 from pezy/master imguizmo namespace Merge pull request ocornut#194 from JonathanHiggs/vcpkg-example 1.84 WIP Merge pull request ocornut#197 from idbrii/seq-btn-color Merge pull request ocornut#196 from idbrii/seq-big-handles

ocornut added a commit that referenced this issue Aug 13, 2015

Demo: Fixed incorrectly formed string passed to Combo (#298)

d36a634

ocornut closed this as completed Aug 14, 2015

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Buffer overflow in ImGui::Combo() #298

Buffer overflow in ImGui::Combo() #298

tpoechtrager commented Aug 13, 2015

ocornut commented Aug 13, 2015

Buffer overflow in ImGui::Combo() #298

Buffer overflow in ImGui::Combo() #298

Comments

tpoechtrager commented Aug 13, 2015

ocornut commented Aug 13, 2015