From: Kevin Day <thekevinday@gmail.com>
Date: Sat, 26 Sep 2020 21:14:52 +0000 (-0500)
Subject: Security: Incorrect size increase in private_fll_iki_content_partial_escape().
X-Git-Tag: 0.5.1~56
X-Git-Url: https://git.kevux.org/?a=commitdiff_plain;h=50560e1be9d8a16f6966e438f92c014d82675682;p=fll

Security: Incorrect size increase in private_fll_iki_content_partial_escape().

The size increase test is "escaped->used + delimits + 2", but actual arguments passed to the increase function is "delimits".
The "+2" is missing.

This gets caught by the parameter checker when delimits is 0.
When delimits is, say 1, then an insufficient amount of memory is increased.
This will likely result in a segfault.
---

diff --git a/level_2/fll_iki/c/private-iki.c b/level_2/fll_iki/c/private-iki.c
index 6e666f7..36b4679 100644
--- a/level_2/fll_iki/c/private-iki.c
+++ b/level_2/fll_iki/c/private-iki.c
@@ -23,7 +23,7 @@ extern "C" {
 
       if (content.string[i] == quote) {
         if (escaped->used + delimits + 2 > escaped->size) {
-          status = fl_string_dynamic_size_increase(delimits, escaped);
+          status = fl_string_dynamic_size_increase(delimits + 2, escaped);
           if (F_status_is_error(status)) return status;
         }