|
 |
0c4686 |
From 1067cdba6d08f2a765cb0ea371189a5b703eb4db Mon Sep 17 00:00:00 2001
|
|
|
0c4686 |
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
|
|
|
0c4686 |
Date: Thu, 22 Feb 2018 16:39:43 +0100
|
|
|
0c4686 |
Subject: [PATCH] Fix a heap-buffer-overflow in find_archive()
|
|
|
0c4686 |
MIME-Version: 1.0
|
|
|
0c4686 |
Content-Type: text/plain; charset=UTF-8
|
|
|
0c4686 |
Content-Transfer-Encoding: 8bit
|
|
|
0c4686 |
|
|
|
0c4686 |
rw_buffer has allocated rw_base_size bytes. But subsequend fgets() in
|
|
|
0c4686 |
find_archive() reads up-to BUFSIZ bytes.
|
|
|
0c4686 |
|
|
|
0c4686 |
On my system, BUFSIZ is 8192. rw_base_size is usually equaled to
|
|
|
0c4686 |
a memory page size, 4096 on my system. Thus find_archive() can write
|
|
|
0c4686 |
beyonded allocated memmory for rw_buffer array:
|
|
|
0c4686 |
|
|
|
0c4686 |
$ valgrind -- ./unshar /tmp/id\:000000\,sig\:06\,src\:000005+000030\,op\:splice\,rep\:4
|
|
|
0c4686 |
==30582== Memcheck, a memory error detector
|
|
|
0c4686 |
==30582== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
|
|
|
0c4686 |
==30582== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
|
|
|
0c4686 |
==30582== Command: ./unshar /tmp/id:000000,sig:06,src:000005+000030,op:splice,rep:4
|
|
|
0c4686 |
==30582==
|
|
|
0c4686 |
==30582== Invalid write of size 1
|
|
|
0c4686 |
==30582== at 0x4EAB480: _IO_getline_info (in /usr/lib64/libc-2.27.so)
|
|
|
0c4686 |
==30582== by 0x4EB47C2: fgets_unlocked (in /usr/lib64/libc-2.27.so)
|
|
|
0c4686 |
==30582== by 0x10BF60: fgets_unlocked (stdio2.h:320)
|
|
|
0c4686 |
==30582== by 0x10BF60: find_archive (unshar.c:243)
|
|
|
0c4686 |
==30582== by 0x10BF60: unshar_file (unshar.c:379)
|
|
|
0c4686 |
==30582== by 0x10BCCC: validate_fname (unshar-opts.c:604)
|
|
|
0c4686 |
==30582== by 0x10BCCC: main (unshar-opts.c:639)
|
|
|
0c4686 |
==30582== Address 0x523a790 is 0 bytes after a block of size 4,096 alloc'd
|
|
|
0c4686 |
==30582== at 0x4C2DBBB: malloc (vg_replace_malloc.c:299)
|
|
|
0c4686 |
==30582== by 0x10C670: init_unshar (unshar.c:450)
|
|
|
0c4686 |
==30582== by 0x10BC55: main (unshar-opts.c:630)
|
|
|
0c4686 |
|
|
|
0c4686 |
This was reported in
|
|
|
0c4686 |
<http://lists.gnu.org/archive/html/bug-gnu-utils/2018-02/msg00004.html>.
|
|
|
0c4686 |
|
|
|
0c4686 |
Signed-off-by: Petr Písař <ppisar@redhat.com>
|
|
|
0c4686 |
---
|
|
|
0c4686 |
src/unshar.c | 2 +-
|
|
|
0c4686 |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
0c4686 |
|
|
|
0c4686 |
diff --git a/src/unshar.c b/src/unshar.c
|
|
|
0c4686 |
index 80bc3a9..0fc3773 100644
|
|
|
0c4686 |
--- a/src/unshar.c
|
|
|
0c4686 |
+++ b/src/unshar.c
|
|
|
0c4686 |
@@ -240,7 +240,7 @@ find_archive (char const * name, FILE * file, off_t start)
|
|
|
0c4686 |
off_t position = ftello (file);
|
|
|
0c4686 |
|
|
|
0c4686 |
/* Read next line, fail if no more and no previous process. */
|
|
|
0c4686 |
- if (!fgets (rw_buffer, BUFSIZ, file))
|
|
|
0c4686 |
+ if (!fgets (rw_buffer, rw_base_size, file))
|
|
|
0c4686 |
{
|
|
|
0c4686 |
if (!start)
|
|
|
0c4686 |
error (0, 0, _("Found no shell commands in %s"), name);
|
|
|
0c4686 |
--
|
|
|
0c4686 |
2.13.6
|
|
|
0c4686 |
|