WindowManager creates dynamic area with incorrectly terminated description string
4 posts, 2 voices
Charles Ferguson (8243)
427 posts
|
RISC OS 5.31 RC3. The WindowManager creates a dynamic area called `Clipboard workspace`. Or at least that’s what it intends to do. It uses a lookup of a token in the messages file, but it uses it directly from the MessageTrans workspace. This means that it gets back a pointer into the file in ResourceFS. It then uses this to call OS_DynamicArea Create, with the pointer in r8. The dynamic area is thus created with the name “Clipboard workspace<10>ClipMgr:Cli”. The string is truncated because the quick handles are in use, and this trims the string to 31 characters – if that configuration option were not selected, the Kernel would allocate memory for the entire string up to the next 0, which would have been a lot longer. I have a program that lists the dynamic areas, with the name pointer as the second parameter (the program’s simple enough, and not relevant here). The output is thus: 259. 300596D4 38290000 00001000/00400000 258. 3005962C 37D00000 00000000/00590000 257. 30058498 37500000 00003000/00800000 4. 30058154 34100000 00010000/02000000 6. FC01CE0C 00000000 081E9000/10800000 1. 3004770C 20000000 00140000/10000000 260. 30059DA8 38690000 00001000/01000000 5. 300580F4 34000000 00000000/00000000 2. 3004776C 32800000 0004B000/00800000 0. FC01CE28 30000000 0005F000/02000000 3. 30058094 33000000 00000000/01000000 262. 3005AF1C 3A690000 00001000/01000000 261. 3005AC54 39690000 0000A000/01000000 991. 300583D4 36500000 00001000/01000000 256. 300582E8 36100000 00000000/00400000 Dynamic Area 257 is the Clipboard workspace (just trust me… I was being lazy). So if we look at the address of the string, we get… >*memory 30058498 Address : B A 9 8 F E D C 3 2 1 0 7 6 5 4 : ASCII Data 30058498 : 70696C43 72616F62 6F772064 70736B72 : Clipboard worksp 300584A8 : 0A656361 70696C43 3A72674D 00696C43 : ace.ClipMgr:Cli. 300584B8 : 0000021C 0000000C 00000060 00000020 : ........`... ... 300584C8 : 00000005 00000002 30002A9C 300032E4 : ........œ*.0ä2.0 300584D8 : 00000000 FC173870 30002884 00000020 : ....p8.ü„(.0 ... 300584E8 : 00000005 00000001 30002A9C FC111C64 : ........œ*.0d..ü 300584F8 : 300028D4 00000000 FC1311F8 00000020 : Ô(.0....ø..ü ... 30058508 : 00000005 00000002 30002A9C 30002C7C : ........œ*.0|,.0 30058518 : FC174B10 300029EC 00000000 0000003C : .K.üì).0....<... 30058528 : 00000030 00000018 FC1E5D18 30002CBC : 0........].ü¼,.0 30058538 : 00000000 FC2B4C08 30003194 00000000 : .....L+ü”1.0.... 30058548 : FC19B8B0 30002AB4 00000000 FC1B4628 : °¸.ü´*.0....(F.ü 30058558 : 30002B2C 00000000 0000003C 00000030 : ,+.0....<...0... 30058568 : 00000024 FC111C64 300028D4 00000000 : $...d..üÔ(.0.... 30058578 : FC1311F8 300028FC 00000000 FC1FD46C : ø..üü(.0....lÔ.ü 30058588 : 30002D0C 00000000 00000000 00000000 : .-.0............ If I attempt to list the dynamic areas in RISC OS Pyromaniac, which copies the string as supplied, we get a somewhat more frustrating output…
*help dynamicareas
==> Help on keyword 'DynamicAreas' (OSCommands)
Number Base +Size Maximum Name
-1 00008000 +00100000 03000000 Application Space
0 04109000 +00020000 002F8000 System heap
1 07000000 +00100000 00F00000 Module area
11 03800000 +00100000 00800000 ROM
13 04100000 +00008000 00008000 SVC Stack
14 04000000 +00004000 00004000 IRQ Stack
15 08400000 +00004000 00004000 UND Stack
48 00000000 +00008000 00008000 Zero Page
49 FFFF0000 +00001000 00010000 Exception vectors
50 04800000 +00001000 00020000 Utility executables
&100 FC000000 +00400000 00400000 Extension ROM
&101 06000000 +00002000 00800000 Clipboard workspace
ClipMgr:Clipboard Manager
NoClaim:[^[/27:]ÿ un[^[/27:]¥[^[/27:]
claim work a[^[/27:]À
BadSprite:S[^[/27:]T doesn't exist
BadSprites:S[^[/27:]Ts [^[/27:]i unsquash[^[/27:]
BadOp:[^[/27:]3[^[/27:]ÿ[^[/27:]fr[^[/27:]4in t[^[/27:]Ec[^[/27:]t[^[/27:]Ö
RectFull:R[^[/27:]Mangle a[^[/27:]À full
TooBig:[^[/27:]|c[^[/27:]Àte t[^[/27:]Ew[^[/27:]N[^[/27:]Fmenu
GetRect:Get_R[^[/27:]Mangle[^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^_/31:118,97][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^W/23:27,155,27,3,100,27,37,10,66][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^_/31:115,101][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:][^[/27:]
HWNMICS:*[^[/27:]
&102 08404000 +00001000 01000000 PipeFS
&103 09404000 +00005000 01000000 Toolbox
&104 0A404000 +00001000 01000000 TextArea workspace
&105 05000000 +00006000 00400000 Wimp workspace
&70705357 0C404000 +00001000 01000000 Wimp priority pool
&72705357 0B404000 +00001000 01000000 Wimp sprite pool
The Wimp should be copying the string to its own buffer and terminating it, rather than assuming that clients will read the description string as control terminated. Or put a NUL in the Messages file, but that’s pretty ugly. |
|
Charles Ferguson (8243)
427 posts
|
I’ve added a check in RISC OS Pyromaniac for such a use. This now reports a warning if such a string is used:
Initialise module: # 7 WindowManager flags &00000001
==== Begin OS_DynamicArea Create misuse ====
Dynamic area 'Clipboard workspace' created with control-terminated description
Registers:
r0 = &00000000, r1 = &ffffffff, r2 = &000003b0, r3 = &ffffffff
r4 = &00000080, r5 = &00800000, r6 = &00000000, r7 = &ffffffff
r8 = &fc09aebb, r9 = &99000000, r10 = &0000ff00, r11 = &fc112f00
r12 = &070059bc, sp = &04107f4c, lr = &fc112d48, pc = &fc1306f4
CPSR= &60000013 : SVC-32 ARM fi ae qvCZn
SPSR= &20000013 : SVC-32 ARM fi ae qvCzn
Locations:
r8 -> "Clipboard workspace" in DA 'Extension ROM', module 'Messages'
r10 -> [&00000000, &00000000, &00000000, &00000000] in DA 'Application Space'
r11 -> [&00cc0000, &0000dd00, &bbeeee00, &00885500] in DA 'Extension ROM', module 'WindowManager'
r12 -> [&00000000, &00000000, &00000000, &00000000] in DA 'Module area', module 'WindowManager%Base' workspace
pc is DA 'Extension ROM', module 'WindowManager'
lr is DA 'Extension ROM', module 'WindowManager'
Recently executed code:
---- Block &fc10f55c, 1 instructions ----
fc10f55c: {DA 'Extension ROM', module 'MessageTrans'}
fc10f55c: BL &FC10F76C
---- Block &fc10f76c, 3 instructions ----
fc10f76c: CMP r3, r4
fc10f770: LDRBLO r8, [r3], #1
fc10f774: MSRLO apsr_nzcvq, #0 ; #------ --- -- -- qvczn
---- Block &fc10f778, 1 instructions ----
fc10f778: MOVLO pc, lr
---- Block &fc10f560, 1 instructions ----
fc10f560: BVS &FC10F510
---- Block &fc10f564, 6 instructions ----
fc10f564: CMP r8, #&1b ; #27
fc10f568: ADDEQ r3, r3, #1
fc10f56c: CMP r8, #&a
fc10f570: CMPNE r8, #&d ; #13
fc10f574: CMPNE r8, #0
fc10f578: BNE &FC10F55C
---- Block &fc10f57c, 5 instructions ----
fc10f57c: SUB r3, r3, #1
fc10f580: LDR lr, [sp, #8]
fc10f584: SUB r3, r3, lr
fc10f588: STR r3, [sp, #&c]
fc10f58c: B &FC10F510
---- Block &fc10f510, 2 instructions ----
fc10f510: STRVS r0, [sp]
fc10f514: POP {r0, r1, r2, r3, r4, r5, r6, r7, r8, r9, r10, pc}
---- Block &fc10f350, 2 instructions ----
fc10f350: LDRVC r0, [sp], #&10
fc10f354: POPVC {pc}
---- Block &04107f20, 1 instructions ----
4107f20: {DA 'SVC Stack'}
4107f20: SWI &FEED05
---- Block &fc1306cc, 10 instructions ----
fc1306cc: {DA 'Extension ROM', module 'WindowManager'}
fc1306cc: MOVVC r8, r2
fc1306d0: MOVVC r0, #0
fc1306d4: MVNVC r1, #0 ; #&ffffffff = -1
fc1306d8: MOVVC r2, #&3b0 ; #944
fc1306dc: MVNVC r3, #0 ; #&ffffffff = -1
fc1306e0: MOVVC r4, #&80 ; #128 = bit 7
fc1306e4: MOVVC r5, #&800000 ; #8388608 = bit 23
fc1306e8: MOVVC r6, #0
fc1306ec: MVNVC r7, #0 ; #&ffffffff = -1
fc1306f0: SWIVC XOS_DynamicArea
==== End OS_DynamicArea Create misuse ====
|
Rick Murray (539)
13840 posts
|
Ooh, I like the annotation. Kind of wish Debugger could do useful things like that. fc1306dc: MVNVC r3, #0 ; #&ffffffff = -1 fc1306e0: MOVVC r4, #&80 ; #128 = bit 7 fc1306e4: MOVVC r5, #&800000 ; #8388608 = bit 23 |
|
Charles Ferguson (8243)
427 posts
|
Ah, the joys of high level languages… https://github.com/gerph/riscos-disassemble-python/blob/master/disassemble.py#L400 Of course, replacing Debugger should be a relatively trivial matter, as it’s not like it’s doing anything especially groundbreaking. Then you could update it to do such things significantly more easily. |
