[prev in list] [next in list] [prev in thread] [next in thread]
List: busybox
Subject: Re: [PATCH 2/2] libbb: prevent overflow in bb_get_chunk_from_file
From: Denys Vlasenko <vda.linux () googlemail ! com>
Date: 2018-04-01 17:53:22
Message-ID: CAK1hOcMigH-xJ=LO4GBNdDs9t+EmiQv9h7PCsNXgjuqsJqHz_g () mail ! gmail ! com
[Download RAW message or body]
Applied both, with small edit in the second patch.
Please try current git.
On Sun, Apr 1, 2018 at 5:05 PM, Quentin Rameau <quinq@fifth.space> wrote:
> Use an adapted type for array size and check it for overflow.
> ---
> editors/sed.c | 2 +-
> include/libbb.h | 2 +-
> libbb/get_line_from_file.c | 8 +++++---
> 3 files changed, 7 insertions(+), 5 deletions(-)
>
> diff --git a/editors/sed.c b/editors/sed.c
> index 9d800c2c3..470220859 100644
> --- a/editors/sed.c
> +++ b/editors/sed.c
> @@ -988,7 +988,7 @@ static void flush_append(char *last_puts_char)
> static char *get_next_line(char *gets_char, char *last_puts_char)
> {
> char *temp = NULL;
> - int len;
> + size_t len;
> char gc;
>
> flush_append(last_puts_char);
> diff --git a/include/libbb.h b/include/libbb.h
> index fa878433e..309c58734 100644
> --- a/include/libbb.h
> +++ b/include/libbb.h
> @@ -911,7 +911,7 @@ extern void xprint_and_close_file(FILE *file) FAST_FUNC;
> * end of line. If end isn't NULL, length of the chunk is stored in it.
> * Returns NULL if EOF/error.
> */
> -extern char *bb_get_chunk_from_file(FILE *file, int *end) FAST_FUNC;
> +extern char *bb_get_chunk_from_file(FILE *file, size_t *end) FAST_FUNC;
> /* Reads up to (and including) TERMINATING_STRING: */
> extern char *xmalloc_fgets_str(FILE *file, const char *terminating_string) FAST_FUNC RETURNS_MALLOC;
> /* Same, with limited max size, and returns the length (excluding NUL): */
> diff --git a/libbb/get_line_from_file.c b/libbb/get_line_from_file.c
> index 941ea12b5..c61ac770e 100644
> --- a/libbb/get_line_from_file.c
> +++ b/libbb/get_line_from_file.c
> @@ -10,10 +10,10 @@
> */
> #include "libbb.h"
>
> -char* FAST_FUNC bb_get_chunk_from_file(FILE *file, int *end)
> +char* FAST_FUNC bb_get_chunk_from_file(FILE *file, size_t *end)
> {
> int ch;
> - unsigned idx = 0;
> + size_t idx = 0;
> char *linebuf = NULL;
>
> while ((ch = getc(file)) != EOF) {
> @@ -21,6 +21,8 @@ char* FAST_FUNC bb_get_chunk_from_file(FILE *file, int *end)
> if (!(idx & 0xff))
> linebuf = xrealloc(linebuf, idx + 0x100);
> linebuf[idx++] = (char) ch;
> + if (idx == (size_t)-1)
> + bb_error_msg_and_die(bb_msg_memory_exhausted);
> if (ch == '\0')
> break;
> if (end && ch == '\n')
> @@ -49,7 +51,7 @@ char* FAST_FUNC xmalloc_fgets(FILE *file)
> /* Get line. Remove trailing \n */
> char* FAST_FUNC xmalloc_fgetline(FILE *file)
> {
> - int i;
> + size_t i;
> char *c = bb_get_chunk_from_file(file, &i);
>
> if (i && c[--i] == '\n')
> --
> 2.14.2
>
> _______________________________________________
> busybox mailing list
> busybox@busybox.net
> http://lists.busybox.net/mailman/listinfo/busybox
_______________________________________________
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic