Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Factory:PowerPC
indent
fix-out-of-buffer-read-CVE-2023-40305.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File fix-out-of-buffer-read-CVE-2023-40305.patch of Package indent
From d091dae6b9080859cd47b85fc0a73e572d40d9be Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com> Date: Tue, 15 Aug 2023 14:09:06 +0200 Subject: [PATCH 1/2] Fix an out-of-buffer read in search_brace()/lexi() on an condition without parentheses followed with an overlong comment MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reproducer: $ hexdump -C /tmp/short 00000000 69 66 20 30 3b 65 6c 73 65 2f 2a 0a 0a 0a 0a 0a |if 0;else/*.....| 00000010 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a |................| * 00000800 0a 0a 2a 2f 78 0a |..*/x.| 00000806 $ valgrind -- ./indent -o /dev/null /tmp/short [...] ==21830== Invalid read of size 1 ==21830== at 0x40586A: lexi (lexi.c:251) ==21830== by 0x40198C: search_brace (indent.c:387) ==21830== by 0x401CC2: indent_main_loop (indent.c:548) ==21830== by 0x402298: indent (indent.c:758) ==21830== by 0x402941: indent_single_file (indent.c:1003) ==21830== by 0x402A0F: indent_all (indent.c:1041) ==21830== by 0x402BC5: main (indent.c:1122) ==21830== Address 0x4ab2210 is 0 bytes inside a block of size 2,048 free'd ==21830== at 0x4847A40: realloc (vg_replace_malloc.c:1649) ==21830== by 0x408BC0: xrealloc (globs.c:64) ==21830== by 0x40BF03: need_chars (handletoken.c:89) ==21830== by 0x401433: sw_buffer (indent.c:149) ==21830== by 0x401973: search_brace (indent.c:380) ==21830== by 0x401CC2: indent_main_loop (indent.c:548) ==21830== by 0x402298: indent (indent.c:758) ==21830== by 0x402941: indent_single_file (indent.c:1003) ==21830== by 0x402A0F: indent_all (indent.c:1041) ==21830== by 0x402BC5: main (indent.c:1122) ==21830== Block was alloc'd at ==21830== at 0x4847A40: realloc (vg_replace_malloc.c:1649) ==21830== by 0x408BC0: xrealloc (globs.c:64) ==21830== by 0x40BF03: need_chars (handletoken.c:89) ==21830== by 0x401696: search_brace (indent.c:281) ==21830== by 0x401CC2: indent_main_loop (indent.c:548) ==21830== by 0x402298: indent (indent.c:758) ==21830== by 0x402941: indent_single_file (indent.c:1003) ==21830== by 0x402A0F: indent_all (indent.c:1041) ==21830== by 0x402BC5: main (indent.c:1122) The cause was that need_chars(&save_com, ...) could reallocate save_com.ptr pointer keeping a dangling copy of that pointer saved to buf_ptr a line above. Related to CVE-2023-40305 Signed-off-by: Petr Písař <ppisar@redhat.com> --- regression/TEST | 3 +- regression/input/comment-heap-overread.c | 2040 ++++++++++++++++++ regression/standard/comment-heap-overread.c | 2042 +++++++++++++++++++ src/indent.c | 2 +- 4 files changed, 4085 insertions(+), 2 deletions(-) create mode 100644 regression/input/comment-heap-overread.c create mode 100644 regression/standard/comment-heap-overread.c diff --git a/regression/TEST b/regression/TEST index 37d0664..0933e9b 100755 --- a/regression/TEST +++ b/regression/TEST @@ -39,7 +39,8 @@ BUGS="case-label.c one-line-1.c one-line-2.c one-line-3.c \ one-line-4.c struct-decl.c sizeof-in-while.c line-break-comment.c \ macro.c enum.c elif.c nested.c wrapped-string.c minus_predecrement.c \ bug-gnu-33364.c float-constant-suffix.c block-comments.c \ - no-forced-nl-in-block-init.c hexadecimal_float.c binary-constant.c" + no-forced-nl-in-block-init.c hexadecimal_float.c binary-constant.c \ + comment-heap-overread.c" INDENTSRC="args.c backup.h backup.c dirent_def.h globs.c indent.h \ indent.c indent_globs.h io.c lexi.c memcpy.c parse.c pr_comment.c \ diff --git a/regression/input/comment-heap-overread.c b/regression/input/comment-heap-overread.c new file mode 100644 index 0000000..5b0b172 --- /dev/null +++ b/regression/input/comment-heap-overread.c @@ -0,0 +1,2040 @@ +if 0;else/* + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +*/x diff --git a/regression/standard/comment-heap-overread.c b/regression/standard/comment-heap-overread.c new file mode 100644 index 0000000..e601fb4 --- /dev/null +++ b/regression/standard/comment-heap-overread.c @@ -0,0 +1,2042 @@ +if 0; +else /* + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + */ + x diff --git a/src/indent.c b/src/indent.c index fc69974..3f9ffc9 100644 --- a/src/indent.c +++ b/src/indent.c @@ -145,8 +145,8 @@ static void sw_buffer(void) parser_state_tos->search_brace = false; bp_save = buf_ptr; be_save = buf_end; - buf_ptr = save_com.ptr; need_chars (&save_com, 1); + buf_ptr = save_com.ptr; buf_end = save_com.end; save_com.end = save_com.ptr; /* make save_com empty */ } -- 2.41.0
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
