From: Kevin Day Date: Tue, 6 Aug 2024 04:17:59 +0000 (-0500) Subject: Security: Missing range checks on comment processing. X-Git-Tag: 0.6.11~5 X-Git-Url: https://git.kevux.org/?a=commitdiff_plain;h=1898cbbc7e92dfafb1e2fa3538284442e21c3879;p=fll Security: Missing range checks on comment processing. This is a back port of the fixes for problem discovered in the 0.7 branch. The 0.7 program fss_payload_read exposed this issue. This issue affects multiple programs in the 0.6 branch. The fss_payload_read such as the runtime test is wrong: # fss_payload_read -ocn payload level_3/fss_read/tests/runtime/fss_000e/source/test-0002-mixed.fss -t The output is 1 but should instead be 4. # fss_payload_read -ocn payload level_3/fss_read/tests/runtime/fss_000e/source/test-0002-mixed.fss | wc -l Investigating this problem revealed that the comment handling code is failing to perform a range check. The overflow is causing the stop range to point to some random memory address which is almost always larger than the file. This results in the count being wrong. This bug is a security concern. Add the range check in all places where this range check is missing for the comments. --- diff --git a/level_3/fss_basic_list_read/c/private-read.c b/level_3/fss_basic_list_read/c/private-read.c index cd06c1a..cd668bc 100644 --- a/level_3/fss_basic_list_read/c/private-read.c +++ b/level_3/fss_basic_list_read/c/private-read.c @@ -506,7 +506,7 @@ extern "C" { } if (j < data->comments.used) { - while (data->comments.array[j].stop < i) ++j; + while (j < data->comments.used && data->comments.array[j].stop < i) ++j; if (i >= data->comments.array[j].start && i <= data->comments.array[j].stop) { i = data->comments.array[j++].stop; @@ -773,7 +773,7 @@ extern "C" { for (i = range.start; i <= range.stop; ++i) { if (j < data->comments.used) { - while (data->comments.array[j].stop < i) ++j; + while (j < data->comments.used && data->comments.array[j].stop < i) ++j; if (i >= data->comments.array[j].start && i <= data->comments.array[j].stop) { i = data->comments.array[j++].stop; diff --git a/level_3/fss_extended_list_read/c/private-read.c b/level_3/fss_extended_list_read/c/private-read.c index 417355f..1c04e94 100644 --- a/level_3/fss_extended_list_read/c/private-read.c +++ b/level_3/fss_extended_list_read/c/private-read.c @@ -512,7 +512,7 @@ extern "C" { for (i = range.start; i <= range.stop; ++i) { if (j < data->comments.used) { - while (data->comments.array[j].stop < i) ++j; + while (j < data->comments.used && data->comments.array[j].stop < i) ++j; if (i >= data->comments.array[j].start && i <= data->comments.array[j].stop) { i = data->comments.array[j++].stop; @@ -779,7 +779,7 @@ extern "C" { for (i = range.start; i <= range.stop; ++i) { if (j < data->comments.used) { - while (data->comments.array[j].stop < i) ++j; + while (j < data->comments.used && data->comments.array[j].stop < i) ++j; if (i >= data->comments.array[j].start && i <= data->comments.array[j].stop) { i = data->comments.array[j++].stop; diff --git a/level_3/fss_payload_read/c/private-read.c b/level_3/fss_payload_read/c/private-read.c index 031a89a..29a558a 100644 --- a/level_3/fss_payload_read/c/private-read.c +++ b/level_3/fss_payload_read/c/private-read.c @@ -734,7 +734,7 @@ extern "C" { } if (j < data->comments.used) { - while (data->comments.array[j].stop < i) ++j; + while (j < data->comments.used && data->comments.array[j].stop < i) ++j; if (i >= data->comments.array[j].start && i <= data->comments.array[j].stop) { i = data->comments.array[j++].stop; @@ -1119,7 +1119,7 @@ extern "C" { for (i = range.start; i <= range.stop; ++i) { if (j < data->comments.used) { - while (data->comments.array[j].stop < i) ++j; + while (j < data->comments.used && data->comments.array[j].stop < i) ++j; if (i >= data->comments.array[j].start && i <= data->comments.array[j].stop) { i = data->comments.array[j++].stop;