emo/busybox
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

sed: prevent overflow of length from bb_get_chunk_from_file

Browse Source 
This fragment did not work right:

                temp = bb_get_chunk_from_file(fp, &len);
                if (temp) {
                        /* len > 0 here, it's ok to do temp[len-1] */
                        char c = temp[len-1];

With "int len" _sign-extending_, temp[len-1] can refer to a wrong location
if len > 0x7fffffff.

Signed-off-by: Quentin Rameau <quinq@fifth.space>
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
This commit is contained in:
Quentin Rameau 2018-04-01 19:49:58 +02:00 committed by Denys Vlasenko
parent 2da9724b56
commit e2afae6303
3 changed files with 9 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
editors/sed.c
View File

@ -988,7 +988,7 @@ static void flush_append(char *last_puts_char)
static char *get_next_line(char *gets_char, char *last_puts_char) static char *get_next_line(char *gets_char, char *last_puts_char)
{ {
char *temp = NULL; char *temp = NULL;
int len; size_t len;
char gc; char gc;
flush_append(last_puts_char); flush_append(last_puts_char);

2
include/libbb.h
View File

@ -911,7 +911,7 @@ extern void xprint_and_close_file(FILE *file) FAST_FUNC;
* end of line. If end isn't NULL, length of the chunk is stored in it. * end of line. If end isn't NULL, length of the chunk is stored in it.
* Returns NULL if EOF/error. * Returns NULL if EOF/error.
*/ */
extern char *bb_get_chunk_from_file(FILE *file, int *end) FAST_FUNC; extern char *bb_get_chunk_from_file(FILE *file, size_t *end) FAST_FUNC;
/* Reads up to (and including) TERMINATING_STRING: */ /* Reads up to (and including) TERMINATING_STRING: */
extern char *xmalloc_fgets_str(FILE *file, const char *terminating_string) FAST_FUNC RETURNS_MALLOC; extern char *xmalloc_fgets_str(FILE *file, const char *terminating_string) FAST_FUNC RETURNS_MALLOC;
/* Same, with limited max size, and returns the length (excluding NUL): */ /* Same, with limited max size, and returns the length (excluding NUL): */

11
libbb/get_line_from_file.c
View File

@ -10,16 +10,19 @@
*/ */
#include "libbb.h" #include "libbb.h"
char* FAST_FUNC bb_get_chunk_from_file(FILE *file, int *end) char* FAST_FUNC bb_get_chunk_from_file(FILE *file, size_t *end)
{ {
int ch; int ch;
unsigned idx = 0; size_t idx = 0;
char *linebuf = NULL; char *linebuf = NULL;
while ((ch = getc(file)) != EOF) { while ((ch = getc(file)) != EOF) {
/* grow the line buffer as necessary */ /* grow the line buffer as necessary */
if (!(idx & 0xff)) if (!(idx & 0xff)) {
if (idx == ((size_t)-1) - 0xff)
bb_error_msg_and_die(bb_msg_memory_exhausted);
linebuf = xrealloc(linebuf, idx + 0x100); linebuf = xrealloc(linebuf, idx + 0x100);
}
linebuf[idx++] = (char) ch; linebuf[idx++] = (char) ch;
if (ch == '\0') if (ch == '\0')
break; break;
@ -49,7 +52,7 @@ char* FAST_FUNC xmalloc_fgets(FILE *file)
/* Get line. Remove trailing \n */ /* Get line. Remove trailing \n */
char* FAST_FUNC xmalloc_fgetline(FILE *file) char* FAST_FUNC xmalloc_fgetline(FILE *file)
{ {
int i; size_t i;
char *c = bb_get_chunk_from_file(file, &i); char *c = bb_get_chunk_from_file(file, &i);
if (i && c[--i] == '\n') if (i && c[--i] == '\n')