From: Kevin Day Date: Mon, 20 Dec 2021 03:57:36 +0000 (-0600) Subject: Security: Buffer overflow. X-Git-Tag: 0.5.7~16 X-Git-Url: https://git.kevux.org/?a=commitdiff_plain;h=647417282a9c2cd0f06b9e571cb3410f49ba25a0;p=fll Security: Buffer overflow. The inner loop is stopping when string[i] is NULL. Which is correct. However, this then continues to the outer loop, resulting in ++i. This results in an buffer overflow. Check to see if at NULL before continuing, otherwise break. Perform minor syntax cleanups. --- diff --git a/level_0/f_file/c/file.c b/level_0/f_file/c/file.c index 11c640d..23853c1 100644 --- a/level_0/f_file/c/file.c +++ b/level_0/f_file/c/file.c @@ -911,7 +911,7 @@ extern "C" { f_file_mode_t mode_umask = 0; f_file_mode_t what = 0; - // translate the umask into an f_file_mode_t umask equivalent. + // Translate the umask into an f_file_mode_t umask equivalent. if (umask & F_file_mode_special_set_user_d) { mode_umask = F_file_mode_t_block_special_d & F_file_mode_t_mask_bit_set_owner_d; } @@ -1057,10 +1057,12 @@ extern "C" { on = 0; how = 0; mode_mask = 0; + break; } else { syntax = 0; + break; } @@ -1075,6 +1077,8 @@ extern "C" { if (how > 3) { *mode -= *mode & mode_umask; } + + if (!string[i]) break; } else { syntax = 0; @@ -1110,11 +1114,10 @@ extern "C" { *replace = F_file_mode_t_replace_standard_d | F_file_mode_t_replace_directory_d; } - if (string[i] == f_string_ascii_0_s[0]) { - for (; string[i] == f_string_ascii_0_s[0]; ++i) { - // seek past leading '0's. - } // for - } + // Seek past leading '0's. + while (string[i] == f_string_ascii_0_s[0]) { + ++i; + } // while if (string[i]) { f_array_length_t j = 0; @@ -1126,11 +1129,11 @@ extern "C" { } if (string[i] == f_string_ascii_0_s[0]) { - // already is a zero. + // Already is a zero. } else if (string[i] == f_string_ascii_1_s[0] || string[i] == f_string_ascii_2_s[0] || string[i] == f_string_ascii_3_s[0] || string[i] == f_string_ascii_4_s[0] || string[i] == f_string_ascii_5_s[0] || string[i] == f_string_ascii_6_s[0] || string[i] == f_string_ascii_7_s[0]) { - // this assumes ASCII/UTF-8. + // This assumes ASCII/UTF-8. if (how == 3) { *mode |= (string[i + j] - 0x30) << 4; } @@ -1140,7 +1143,7 @@ extern "C" { } else { - // designate that this is invalid. + // Designate that this is invalid. j = 4; break; } @@ -1151,7 +1154,7 @@ extern "C" { } else if (how == 2) { - // if there are only '0's then the standard and setuid/setgid/sticky bits are to be replaced. + // If there are only '0's then the standard and setuid/setgid/sticky bits are to be replaced. if (!*mode) { *replace = F_file_mode_t_replace_standard_d | F_file_mode_t_replace_special_d; }