Security: Changes to f_memory_array_increase() API causes invalid memory access.

This is a security related regression.
The `f_memory_array_increase()` has been changed to only guarantee that at least 1 element is increased if not available.
The code is Controller is depending on the old behavior where the allocation step is guaranteed.

The new behavior of `f_memory_array_increase()` performs additional steps to prevent memory abuse which in tern causes the first allocation to only consist of a single element.

Use instead `f_memory_array_resize()` if the size is too small.

In another case, instead use `f_memory_array_increase_by()` to ensure that the increase is at least 2 elements.

diff --git a/sources/c/program/controller/main/entry/preprocess.c b/sources/c/program/controller/main/entry/preprocess.c
index c61301eed4886d107b8a492632b917465885fc14..29a50ad70e27fec2311204a17b01e385114b0386 100644 (file)
--- a/sources/c/program/controller/main/entry/preprocess.c
+++ b/sources/c/program/controller/main/entry/preprocess.c
@@ -32,12 +32,14 @@ extern "C" {
     cache->action.name_action.used = 0;
     cache->action.name_item.used = 0;
 
-    status = f_memory_array_increase(controller_allocation_small_d, sizeof(f_number_unsigned_t), (void **) &cache->ats.array, &cache->ats.used, &cache->ats.size);
+    if (cache->ats.size < 2) {
+      status = f_memory_array_resize(2, sizeof(f_number_unsigned_t), (void **) &cache->ats.array, &cache->ats.used, &cache->ats.size);
 
-    if (F_status_is_error(status)) {
-      controller_print_error_entry(&main->program.error, is_entry, F_status_set_fine(status), macro_controller_f(f_memory_array_increase), F_true);
+      if (F_status_is_error(status)) {
+        controller_print_error_entry(&main->program.error, is_entry, F_status_set_fine(status), macro_controller_f(f_memory_array_resize), F_true);
 
-      return status;
+        return status;
+      }
     }
 
     // Utilize the ats cache as an item execution stack (at_i is for item index, and at_j (at_i + 1) is for Action index).

diff --git a/sources/c/program/controller/main/entry/process.c b/sources/c/program/controller/main/entry/process.c
index 47fe4dd31ca3bbb5077dd5fccc3feb37a3e70eb9..5ddebb2d0428f1eaf942ba0cb9a73327b1184196 100644 (file)
--- a/sources/c/program/controller/main/entry/process.c
+++ b/sources/c/program/controller/main/entry/process.c
@@ -32,12 +32,14 @@ extern "C" {
     cache->action.name_action.used = 0;
     cache->action.name_item.used = 0;
 
-    status = f_memory_array_increase(controller_allocation_small_d, sizeof(f_number_unsigned_t), (void **) &cache->ats.array, &cache->ats.used, &cache->ats.size);
+    if (cache->ats.size < 2) {
+      status = f_memory_array_resize(2, sizeof(f_number_unsigned_t), (void **) &cache->ats.array, &cache->ats.used, &cache->ats.size);
 
-    if (F_status_is_error(status)) {
-      controller_print_error_entry(&main->program.error, is_entry, F_status_set_fine(status), macro_controller_f(f_memory_array_increase), F_true);
+      if (F_status_is_error(status)) {
+        controller_print_error_entry(&main->program.error, is_entry, F_status_set_fine(status), macro_controller_f(f_memory_array_resize), F_true);
 
-      return status;
+        return status;
+      }
     }
 
     // Utilize the "ats" cache as an item execution stack (at_i is for item index, and at_j (at_i + 1) is for Action index).
@@ -145,10 +147,10 @@ extern "C" {
             return F_status_is_error(F_critical);
           }
 
-          status = f_memory_array_increase(controller_allocation_small_d, sizeof(f_number_unsigned_t), (void **) &cache->ats.array, &cache->ats.used, &cache->ats.size);
+          status = f_memory_array_increase_by(2, sizeof(f_number_unsigned_t), (void **) &cache->ats.array, &cache->ats.used, &cache->ats.size);
 
           if (F_status_is_error(status)) {
-            controller_print_error_entry(&main->program.error, is_entry, F_status_set_fine(status), macro_controller_f(f_memory_array_increase), F_true);
+            controller_print_error_entry(&main->program.error, is_entry, F_status_set_fine(status), macro_controller_f(f_memory_array_increase_by), F_true);
 
             return status;
           }