Overview

File invalid_reads.patch of Package mc.8087

commit 4821259d85f8e9508a6447b8ddf47348d21f79cd
Author: Andreas Mohr <and@gmx.li>
Date:   Sat Apr 11 12:47:52 2015 +0300

    Ticket #3437: (custom_canonicalize_pathname): fix heap-buffer-overflow.
    
    Only use strncmp when path has enough room (greater then url_delim_len
    size).
    Overflow happen when path = './'.
    
    (Found by AddressSanitizer.)
    
    Signed-off-by: Andrew Borodin <aborodin@vmail.ru>

(gdb) up
#1  0x000000000046f67a in custom_canonicalize_pathname (path=0x797da30 "./", flags=CANON_PATH_ALL) at utilunix.c:684
684                     && strncmp (p - url_delim_len + 1, VFS_PATH_URL_DELIMITER, url_delim_len) == 0)
(gdb) p path
$1 = 0x797da30 "./"
(gdb) p url_delim_len
$2 = 3

==19264== Invalid read of size 1
==19264==    at 0x4C2CDF9: __strncmp_sse42 (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==19264==    by 0x46F679: custom_canonicalize_pathname (utilunix.c:684)
==19264==    by 0x46FC3A: canonicalize_pathname (utilunix.c:875)
==19264==    by 0x46FEAA: mc_build_filenamev (utilunix.c:1120)
==19264==    by 0x47001D: mc_build_filename (utilunix.c:1158)
==19264==    by 0x456AC2: vfs_canon (path.c:159)
==19264==    by 0x457A91: vfs_path_from_str_flags (path.c:734)
==19264==    by 0x457B46: vfs_path_from_str (path.c:764)
==19264==    by 0x4299E7: panel_operate (file.c:2737)
==19264==    by 0x4198EB: copy_cmd (cmd.c:894)
==19264==    by 0x44AF43: midnight_execute_cmd (midnight.c:1142)
==19264==    by 0x44B8B9: midnight_callback (midnight.c:1588)
==19264==  Address 0x797da2f is 1 bytes before a block of size 3 alloc'd
==19264==    at 0x4C29130: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==19264==    by 0x583441F: g_malloc (gmem.c:94)
==19264==    by 0x584B58E: g_strdup (gstrfuncs.c:363)
==19264==    by 0x46FE4D: mc_build_filenamev (utilunix.c:1116)
==19264==    by 0x47001D: mc_build_filename (utilunix.c:1158)
==19264==    by 0x456AC2: vfs_canon (path.c:159)
==19264==    by 0x457A91: vfs_path_from_str_flags (path.c:734)
==19264==    by 0x457B46: vfs_path_from_str (path.c:764)
==19264==    by 0x4299E7: panel_operate (file.c:2737)
==19264==    by 0x4198EB: copy_cmd (cmd.c:894)
==19264==    by 0x44AF43: midnight_execute_cmd (midnight.c:1142)
==19264==    by 0x44B8B9: midnight_callback (midnight.c:1588)
==19264==

Index: mc-4.8.11/lib/utilunix.c
===================================================================
--- mc-4.8.11.orig/lib/utilunix.c
+++ mc-4.8.11/lib/utilunix.c
@@ -680,7 +680,7 @@ custom_canonicalize_pathname (char *path
         p = lpath + strlen (lpath) - 1;
         while (p > lpath && *p == PATH_SEP)
         {
-            if (p >= lpath - (url_delim_len + 1)
+            if (p >= lpath + url_delim_len - 1
                 && strncmp (p - url_delim_len + 1, VFS_PATH_URL_DELIMITER, url_delim_len) == 0)
                 break;
             *p-- = 0;
openSUSE Build Service is sponsored by
Places