Security: NULL pointer dereference in writer due to pipe function result handling.

author Kevin Day <kevin@kevux.org>

Thu, 26 Jan 2023 00:56:36 +0000 (18:56 -0600)

committer Kevin Day <kevin@kevux.org>

Thu, 26 Jan 2023 00:56:36 +0000 (18:56 -0600)
author Kevin Day <kevin@kevux.org>
Thu, 26 Jan 2023 00:56:36 +0000 (18:56 -0600)
committer Kevin Day <kevin@kevux.org>
Thu, 26 Jan 2023 00:56:36 +0000 (18:56 -0600)
diff --git a/level_3/fss_basic_list_write/c/private-write.c b/level_3/fss_basic_list_write/c/private-write.c

index 62ee9dd5798b0067c0392311cc659691b00bdf1a..324a241fc3cd5285d2d78670e73447ced4da8b04 100644 (file)
--- a/level_3/fss_basic_list_write/c/private-write.c
+++ b/level_3/fss_basic_list_write/c/private-write.c
@@ -193,6 +193,7 @@ extern "C" {
  
          range.start = 0;
          range.stop = block.used - 1;
+        status_pipe = F_none;
        }
  
        if (!state || state == 0x1) {
@@ -213,7 +214,7 @@ extern "C" {
            }
          }
  
-        for (; range.start <= range.stop; ++range.start) {
+        for (; range.start <= range.stop && range.start < block.used; ++range.start) {
  
            if (block.string[range.start] == fss_basic_list_write_pipe_content_start_s.string[0]) {
              state = 0x2;
@@ -264,7 +265,7 @@ extern "C" {
              break;
            }
  
-          for (; range.start <= range.stop; ++range.start) {
+          for (; range.start <= range.stop && range.start < block.used; ++range.start) {
  
              if (block.string[range.start] == fss_basic_list_write_pipe_content_start_s.string[0]) {
                if (main->error.verbosity != f_console_verbosity_quiet_e) {
diff --git a/level_3/fss_basic_write/c/private-write.c b/level_3/fss_basic_write/c/private-write.c

index 9c5c7f3e3908a82978fd378c47368a3bed04edcd..57983dfac1a2df176e1a7ee7af9b393bcec7f851 100644 (file)
--- a/level_3/fss_basic_write/c/private-write.c
+++ b/level_3/fss_basic_write/c/private-write.c
@@ -195,6 +195,7 @@ extern "C" {
  
          range.start = 0;
          range.stop = block.used - 1;
+        status_pipe = F_none;
        }
  
        if (!state || state == 0x1) {
@@ -215,7 +216,7 @@ extern "C" {
            }
          }
  
-        for (; range.start <= range.stop; range.start++) {
+        for (; range.start <= range.stop && range.start < block.used; range.start++) {
  
            if (block.string[range.start] == fss_basic_write_pipe_content_start_s.string[0]) {
              state = 0x2;
@@ -266,7 +267,7 @@ extern "C" {
              break;
            }
  
-          for (; range.start <= range.stop; ++range.start) {
+          for (; range.start <= range.stop && range.start < block.used; ++range.start) {
  
              if (block.string[range.start] == fss_basic_write_pipe_content_start_s.string[0]) {
                if (main->error.verbosity != f_console_verbosity_quiet_e) {
diff --git a/level_3/fss_embedded_list_write/c/private-write.c b/level_3/fss_embedded_list_write/c/private-write.c

index 25262416299cf94dcc914a9f0f7092e10b21e06a..8a73ea87c36b875086c46b1ae8484ef7da4d8291 100644 (file)
--- a/level_3/fss_embedded_list_write/c/private-write.c
+++ b/level_3/fss_embedded_list_write/c/private-write.c
@@ -203,6 +203,7 @@ extern "C" {
  
          range.start = 0;
          range.stop = block.used - 1;
+        status_pipe = F_none;
        }
  
        if (!state || state == 0x1) {
@@ -226,7 +227,7 @@ extern "C" {
            }
          }
  
-        for (; range.start <= range.stop; ++range.start) {
+        for (; range.start <= range.stop && range.start < block.used; ++range.start) {
  
            if (block.string[range.start] == fss_embedded_list_write_pipe_content_start_s.string[0]) {
              state = 0x2;
@@ -243,6 +244,7 @@ extern "C" {
            }
  
            if (block.string[range.start] == fss_embedded_list_write_pipe_content_ignore_s.string[0]) {
+
              // This is not used by objects.
              continue;
            }
@@ -276,7 +278,7 @@ extern "C" {
              break;
            }
  
-          for (; range.start <= range.stop; ++range.start) {
+          for (; range.start <= range.stop && range.start < block.used; ++range.start) {
  
              if (block.string[range.start] == fss_embedded_list_write_pipe_content_start_s.string[0]) {
                if (main->error.verbosity != f_console_verbosity_quiet_e) {
diff --git a/level_3/fss_extended_list_write/c/private-write.c b/level_3/fss_extended_list_write/c/private-write.c

index 47e754f7b6b073ec59c4bab34d5a18e8deb982e8..b6ff62717e822e03327b97121cd22c514cd7fb12 100644 (file)
--- a/level_3/fss_extended_list_write/c/private-write.c
+++ b/level_3/fss_extended_list_write/c/private-write.c
@@ -193,6 +193,7 @@ extern "C" {
  
          range.start = 0;
          range.stop = block.used - 1;
+        status_pipe = F_none;
        }
  
        if (!state || state == 0x1) {
@@ -216,7 +217,7 @@ extern "C" {
            }
          }
  
-        for (; range.start <= range.stop; ++range.start) {
+        for (; range.start <= range.stop && range.start < block.used; ++range.start) {
  
            if (block.string[range.start] == fss_extended_list_write_pipe_content_start_s.string[0]) {
              state = 0x2;
@@ -267,7 +268,7 @@ extern "C" {
              break;
            }
  
-          for (; range.start <= range.stop; ++range.start) {
+          for (; range.start <= range.stop && range.start < block.used; ++range.start) {
  
              if (block.string[range.start] == fss_extended_list_write_pipe_content_start_s.string[0]) {
                if (main->error.verbosity != f_console_verbosity_quiet_e) {
diff --git a/level_3/fss_extended_write/c/private-write.c b/level_3/fss_extended_write/c/private-write.c

index e96c26b95d0ecb3ec022e635da34768e918d604e..936ea2fc341536e0f43733759e38b7efa98929ff 100644 (file)
--- a/level_3/fss_extended_write/c/private-write.c
+++ b/level_3/fss_extended_write/c/private-write.c
@@ -201,6 +201,7 @@ extern "C" {
            fll_error_print(main->error, F_status_set_fine(status_pipe), "f_file_read_block", F_true);
  
            status_pipe = F_status_set_error(F_pipe);
+
            break;
          }
  
@@ -212,28 +213,24 @@ extern "C" {
  
        if (!state || state == 0x1) {
          if (!state) {
-          if (contents.used) {
-            for (i = 0; i < contents.used; ++i) {
-              contents.array[i].used = 0;
-            } // for
-          }
+          for (i = 0; i < contents.used; ++i) {
+            contents.array[i].used = 0;
+          } // for
  
            object.used = 0;
            contents.used = 0;
-
            state = 0x1;
          }
  
-        if (object.used + block.used > object.size) {
-          status = f_string_dynamic_increase_by(block.used, &object);
+        status = f_string_dynamic_increase_by(block.used, &object);
  
-          if (F_status_is_error(status)) {
-            fll_error_print(main->error, F_status_set_fine(status), "f_string_dynamic_increase_by", F_true);
-            break;
-          }
+        if (F_status_is_error(status)) {
+          fll_error_print(main->error, F_status_set_fine(status), "f_string_dynamic_increase_by", F_true);
+
+          break;
          }
  
-        for (; range.start <= range.stop; ++range.start) {
+        for (; range.start <= range.stop && range.start < block.used; ++range.start) {
  
            if (block.string[range.start] == fss_extended_write_pipe_content_start_s.string[0]) {
              state = 0x2;
@@ -268,13 +265,12 @@ extern "C" {
        }
  
        if (state == 0x2) {
-        if (contents.used + 1 > contents.size) {
-          status = f_string_dynamics_increase_by(F_fss_default_allocation_step_d, &contents);
+        status = f_string_dynamics_increase_by(F_fss_default_allocation_step_d, &contents);
  
-          if (F_status_is_error(status)) {
-            fll_error_print(main->error, F_status_set_fine(status), "f_string_dynamics_increase_by", F_true);
-            break;
-          }
+        if (F_status_is_error(status)) {
+          fll_error_print(main->error, F_status_set_fine(status), "f_string_dynamics_increase_by", F_true);
+
+          break;
          }
  
          state = 0x3;
@@ -290,17 +286,15 @@ extern "C" {
          }
  
          if (total) {
-          for (; range.start <= range.stop; ++range.start) {
+          for (; range.start <= range.stop && range.start < block.used; ++range.start) {
  
              if (block.string[range.start] == fss_extended_write_pipe_content_start_s.string[0]) {
-              if (contents.used + 1 > contents.size) {
-                status = f_string_dynamics_increase_by(F_fss_default_allocation_step_d, &contents);
+              status = f_string_dynamics_increase_by(F_fss_default_allocation_step_d, &contents);
  
-                if (F_status_is_error(status)) {
-                  fll_error_print(main->error, F_status_set_fine(status), "f_string_dynamics_increase_by", F_true);
+              if (F_status_is_error(status)) {
+                fll_error_print(main->error, F_status_set_fine(status), "f_string_dynamics_increase_by", F_true);
  
-                  break;
-                }
+                break;
                }
  
                ++contents.used;
@@ -329,14 +323,12 @@ extern "C" {
                break;
              }
  
-            if (contents.array[contents.used - 1].used + 1 > contents.array[contents.used - 1].size) {
-              status = f_string_dynamic_increase_by(F_fss_default_allocation_step_d, &contents.array[contents.used - 1]);
+            status = f_string_dynamic_increase_by(F_fss_default_allocation_step_d, &contents.array[contents.used - 1]);
  
-              if (F_status_is_error(status)) {
-                fll_error_print(main->error, F_status_set_fine(status), "f_string_dynamic_increase_by", F_true);
+            if (F_status_is_error(status)) {
+              fll_error_print(main->error, F_status_set_fine(status), "f_string_dynamic_increase_by", F_true);
  
-                break;
-              }
+              break;
              }
  
              contents.array[contents.used - 1].string[contents.array[contents.used - 1].used++] = block.string[range.start];
diff --git a/level_3/fss_payload_write/c/private-write.c b/level_3/fss_payload_write/c/private-write.c

index d658f2756e5479c198d5a587ce901b96b4013085..6c656cf40662faf275ee7f2a7016dd1fac4e1cba 100644 (file)
--- a/level_3/fss_payload_write/c/private-write.c
+++ b/level_3/fss_payload_write/c/private-write.c
@@ -240,6 +240,7 @@ extern "C" {
  
          range.start = 0;
          range.stop = block.used - 1;
+        status_pipe = F_none;
        }
  
        if (!state || state == 0x1) {
@@ -260,7 +261,7 @@ extern "C" {
            }
          }
  
-        for (; range.start <= range.stop; ++range.start) {
+        for (; range.start <= range.stop && range.start < block.used; ++range.start) {
  
            if (block.string[range.start] == fss_payload_write_pipe_content_start_s.string[0]) {
              state = 0x2;
@@ -336,7 +337,7 @@ extern "C" {
              break;
            }
  
-          for (; range.start <= range.stop; ++range.start) {
+          for (; range.start <= range.stop && range.start < block.used; ++range.start) {
  
              if (block.string[range.start] == fss_payload_write_pipe_content_start_s.string[0]) {
                if (main->error.verbosity != f_console_verbosity_quiet_e) {
author	Kevin Day <kevin@kevux.org>
	Thu, 26 Jan 2023 00:56:36 +0000 (18:56 -0600)
committer	Kevin Day <kevin@kevux.org>
	Thu, 26 Jan 2023 00:56:36 +0000 (18:56 -0600)
level_3/fss_basic_list_write/c/private-write.c		patch \| blob \| history
level_3/fss_basic_write/c/private-write.c		patch \| blob \| history
level_3/fss_embedded_list_write/c/private-write.c		patch \| blob \| history
level_3/fss_extended_list_write/c/private-write.c		patch \| blob \| history
level_3/fss_extended_write/c/private-write.c		patch \| blob \| history
level_3/fss_payload_write/c/private-write.c		patch \| blob \| history