Security: Missing range checks on comment processing, handling missed spots.

I failed to perform all of the changes when I backported commit 27c0bbafc2c0f3ae49c0e45297a2dc9f82c11221 via commit 1898cbbc7e92dfafb1e2fa3538284442e21c3879.

The while loop is being checked for the comments length.
The if condition immediately outside that is not being checked.
This check is being performed in the original commit that I backported from.
This is simply a backporting oversight.

diff --git a/level_3/fss_basic_list_read/c/private-read.c b/level_3/fss_basic_list_read/c/private-read.c
index cd668bce3198d3276999f647e01f34e79efccc69..d06313288be9bf1a4949302e3f5a357845c45642 100644 (file)
--- a/level_3/fss_basic_list_read/c/private-read.c
+++ b/level_3/fss_basic_list_read/c/private-read.c
@@ -508,7 +508,7 @@ extern "C" {
         if (j < data->comments.used) {
           while (j < data->comments.used && data->comments.array[j].stop < i) ++j;
 
-          if (i >= data->comments.array[j].start && i <= data->comments.array[j].stop) {
+          if (j < data->comments.used && i >= data->comments.array[j].start && i <= data->comments.array[j].stop) {
             i = data->comments.array[j++].stop;
 
             continue;
@@ -775,7 +775,7 @@ extern "C" {
           if (j < data->comments.used) {
             while (j < data->comments.used && data->comments.array[j].stop < i) ++j;
 
-            if (i >= data->comments.array[j].start && i <= data->comments.array[j].stop) {
+            if (j < data->comments.used && i >= data->comments.array[j].start && i <= data->comments.array[j].stop) {
               i = data->comments.array[j++].stop;
 
               continue;

diff --git a/level_3/fss_extended_list_read/c/private-read.c b/level_3/fss_extended_list_read/c/private-read.c
index 1c04e94507d30d8dedb7e075a18c83049f753513..37bd96da168ed8046c90555feb74777516120567 100644 (file)
--- a/level_3/fss_extended_list_read/c/private-read.c
+++ b/level_3/fss_extended_list_read/c/private-read.c
@@ -514,7 +514,7 @@ extern "C" {
           if (j < data->comments.used) {
             while (j < data->comments.used && data->comments.array[j].stop < i) ++j;
 
-            if (i >= data->comments.array[j].start && i <= data->comments.array[j].stop) {
+            if (j < data->comments.used && i >= data->comments.array[j].start && i <= data->comments.array[j].stop) {
               i = data->comments.array[j++].stop;
 
               continue;
@@ -781,7 +781,7 @@ extern "C" {
           if (j < data->comments.used) {
             while (j < data->comments.used && data->comments.array[j].stop < i) ++j;
 
-            if (i >= data->comments.array[j].start && i <= data->comments.array[j].stop) {
+            if (j < data->comments.used && i >= data->comments.array[j].start && i <= data->comments.array[j].stop) {
               i = data->comments.array[j++].stop;
 
               continue;

diff --git a/level_3/fss_payload_read/c/private-read.c b/level_3/fss_payload_read/c/private-read.c
index 29a558a223051f2815c97579efb00927ffae0b2b..7926f0932146324a3a05a72ffb02a8544be7aca4 100644 (file)
--- a/level_3/fss_payload_read/c/private-read.c
+++ b/level_3/fss_payload_read/c/private-read.c
@@ -736,7 +736,7 @@ extern "C" {
         if (j < data->comments.used) {
           while (j < data->comments.used && data->comments.array[j].stop < i) ++j;
 
-          if (i >= data->comments.array[j].start && i <= data->comments.array[j].stop) {
+          if (j < data->comments.used && i >= data->comments.array[j].start && i <= data->comments.array[j].stop) {
             i = data->comments.array[j++].stop;
 
             continue;
@@ -1121,7 +1121,7 @@ extern "C" {
           if (j < data->comments.used) {
             while (j < data->comments.used && data->comments.array[j].stop < i) ++j;
 
-            if (i >= data->comments.array[j].start && i <= data->comments.array[j].stop) {
+            if (j < data->comments.used && i >= data->comments.array[j].start && i <= data->comments.array[j].stop) {
               i = data->comments.array[j++].stop;
 
               continue;