|
 |
bb4389 |
From 7fd15f8e272136955f7ffc37df29fbca9ddceca1 Mon Sep 17 00:00:00 2001
|
|
|
bb4389 |
From: David Rheinsberg <david.rheinsberg@gmail.com>
|
|
|
bb4389 |
Date: Tue, 19 Apr 2022 13:11:02 +0200
|
|
|
bb4389 |
Subject: [PATCH] strnspn: fix buffer overflow
|
|
|
bb4389 |
|
|
|
bb4389 |
Fix the strnspn and strncspn functions to use a properly sized buffer.
|
|
|
bb4389 |
It used to be 1 byte too short. Checking for `0xff` in a string will
|
|
|
bb4389 |
thus write `0xff` once byte beyond the stack space of the local buffer.
|
|
|
bb4389 |
|
|
|
bb4389 |
Note that the public API does not allow to pass `0xff` to those
|
|
|
bb4389 |
functions. Therefore, this is a read-only buffer overrun, possibly
|
|
|
bb4389 |
causing bogus reports from the parser, but still well-defined.
|
|
|
bb4389 |
|
|
|
bb4389 |
Reported-by: Steffen Robertz
|
|
|
bb4389 |
Signed-off-by: David Rheinsberg <david.rheinsberg@gmail.com>
|
|
|
bb4389 |
---
|
|
|
bb4389 |
/subprojects/c-shquote/src/c-shquote.c | 4 ++--
|
|
|
bb4389 |
/subprojects/c-shquote/src/test-private.c | 6 ++++++
|
|
|
bb4389 |
2 files changed, 8 insertions(+), 2 deletions(-)
|
|
|
bb4389 |
|
|
|
bb4389 |
diff --git a//subprojects/c-shquote/src/c-shquote.c b//subprojects/c-shquote/src/c-shquote.c
|
|
|
bb4389 |
index b268906..abb55d6 100644
|
|
|
bb4389 |
--- a//subprojects/c-shquote/src/c-shquote.c
|
|
|
bb4389 |
+++ b//subprojects/c-shquote/src/c-shquote.c
|
|
|
bb4389 |
@@ -85,7 +85,7 @@ int c_shquote_consume_char(char **outp,
|
|
|
bb4389 |
size_t c_shquote_strnspn(const char *string,
|
|
|
bb4389 |
size_t n_string,
|
|
|
bb4389 |
const char *accept) {
|
|
|
bb4389 |
- bool buffer[UCHAR_MAX] = {};
|
|
|
bb4389 |
+ bool buffer[UCHAR_MAX + 1] = {};
|
|
|
bb4389 |
|
|
|
bb4389 |
for ( ; *accept; ++accept)
|
|
|
bb4389 |
buffer[(unsigned char)*accept] = true;
|
|
|
bb4389 |
@@ -100,7 +100,7 @@ size_t c_shquote_strnspn(const char *string,
|
|
|
bb4389 |
size_t c_shquote_strncspn(const char *string,
|
|
|
bb4389 |
size_t n_string,
|
|
|
bb4389 |
const char *reject) {
|
|
|
bb4389 |
- bool buffer[UCHAR_MAX] = {};
|
|
|
bb4389 |
+ bool buffer[UCHAR_MAX + 1] = {};
|
|
|
bb4389 |
|
|
|
bb4389 |
if (strlen(reject) == 1) {
|
|
|
bb4389 |
const char *p;
|
|
|
bb4389 |
diff --git a//subprojects/c-shquote/src/test-private.c b//subprojects/c-shquote/src/test-private.c
|
|
|
bb4389 |
index 57a7250..c6afe40 100644
|
|
|
bb4389 |
--- a//subprojects/c-shquote/src/test-private.c
|
|
|
bb4389 |
+++ b//subprojects/c-shquote/src/test-private.c
|
|
|
bb4389 |
@@ -148,6 +148,9 @@ static void test_strnspn(void) {
|
|
|
bb4389 |
|
|
|
bb4389 |
len = c_shquote_strnspn("ab", 2, "bc");
|
|
|
bb4389 |
c_assert(len == 0);
|
|
|
bb4389 |
+
|
|
|
bb4389 |
+ len = c_shquote_strnspn("ab", 2, "\xff");
|
|
|
bb4389 |
+ c_assert(len == 0);
|
|
|
bb4389 |
}
|
|
|
bb4389 |
|
|
|
bb4389 |
static void test_strncspn(void) {
|
|
|
bb4389 |
@@ -167,6 +170,9 @@ static void test_strncspn(void) {
|
|
|
bb4389 |
|
|
|
bb4389 |
len = c_shquote_strncspn("ab", 2, "cd");
|
|
|
bb4389 |
c_assert(len == 2);
|
|
|
bb4389 |
+
|
|
|
bb4389 |
+ len = c_shquote_strncspn("ab", 2, "\xff");
|
|
|
bb4389 |
+ c_assert(len == 2);
|
|
|
bb4389 |
}
|
|
|
bb4389 |
|
|
|
bb4389 |
static void test_discard_comment(void) {
|