From: Kevin Day <thekevinday@gmail.com>
Date: Thu, 31 Mar 2022 00:06:18 +0000 (-0500)
Subject: Security: Invalid write in FSS processing functions due to improper allocation size.
X-Git-Tag: 0.5.9~28
X-Git-Url: https://git.kevux.org/?a=commitdiff_plain;h=bbdd7acd88cf00b1c03386352afcdc04c8a2fb0f;p=fll

Security: Invalid write in FSS processing functions due to improper allocation size.

The start and stop ranges are inclusive.
This means that the size is (stop - start) + 1.

The problems happens where the code is adding additional digits to represent end of line or other special characters.
When this is added, I seem to have forgotten to add the additional numbers to the + 1 and instead replaced the + 1.
This results in the size being potentially short by a single character and thus an invalid write is possible.
---

diff --git a/level_1/fl_fss/c/fss/basic.c b/level_1/fl_fss/c/fss/basic.c
index ec38918..d47e02e 100644
--- a/level_1/fl_fss/c/fss/basic.c
+++ b/level_1/fl_fss/c/fss/basic.c
@@ -181,7 +181,7 @@ extern "C" {
     }
 
     // Ensure that there is room for the potential terminating newline.
-    status = f_string_dynamic_increase_by((range->stop - range->start) + 1, destination);
+    status = f_string_dynamic_increase_by((range->stop - range->start) + 2, destination);
     if (F_status_is_error(status)) return status;
 
     const f_array_length_t destination_used = destination->used;
diff --git a/level_1/fl_fss/c/fss/basic_list.c b/level_1/fl_fss/c/fss/basic_list.c
index 0617ff1..28ded15 100644
--- a/level_1/fl_fss/c/fss/basic_list.c
+++ b/level_1/fl_fss/c/fss/basic_list.c
@@ -585,7 +585,7 @@ extern "C" {
     }
 
     // Ensure that there is room for a slash delimit, the object open character, and the end of line character.
-    status = f_string_dynamic_increase_by((range->stop - range->start) + 3, destination);
+    status = f_string_dynamic_increase_by((range->stop - range->start) + 4, destination);
     if (F_status_is_error(status)) return status;
 
     const f_array_length_t used_start = destination->used;
@@ -799,7 +799,7 @@ extern "C" {
     }
 
     // Ensure that there is room for a slash delimit and possibly the end of content character.
-    status = f_string_dynamic_increase_by((range->stop - range->start) + 2, destination);
+    status = f_string_dynamic_increase_by((range->stop - range->start) + 3, destination);
     if (F_status_is_error(status)) return status;
 
     const f_array_length_t used_start = destination->used;
diff --git a/level_1/fl_fss/c/fss/embedded_list.c b/level_1/fl_fss/c/fss/embedded_list.c
index fd66083..c8fe8d2 100644
--- a/level_1/fl_fss/c/fss/embedded_list.c
+++ b/level_1/fl_fss/c/fss/embedded_list.c
@@ -1001,7 +1001,7 @@ extern "C" {
     }
 
     // Ensure that there is room for a slash delimit, the object open character, and the end of line character.
-    status = f_string_dynamic_increase_by((range->stop - range->start) + 3, destination);
+    status = f_string_dynamic_increase_by((range->stop - range->start) + 4, destination);
     if (F_status_is_error(status)) return status;
 
     const f_array_length_t used_start = destination->used;
@@ -1237,7 +1237,7 @@ extern "C" {
     }
 
     // Ensure that there is room for a slash delimit and possibly the end of content characters.
-    status = f_string_dynamic_increase_by((range->stop - range->start) + 3, destination);
+    status = f_string_dynamic_increase_by((range->stop - range->start) + 4, destination);
     if (F_status_is_error(status)) return status;
 
     const f_array_length_t used_start = destination->used;
diff --git a/level_1/fl_fss/c/fss/extended_list.c b/level_1/fl_fss/c/fss/extended_list.c
index 6c93dc8..33d8b34 100644
--- a/level_1/fl_fss/c/fss/extended_list.c
+++ b/level_1/fl_fss/c/fss/extended_list.c
@@ -548,7 +548,7 @@ extern "C" {
     }
 
     // Ensure that there is room for a slash delimit, the object open character, and the end of line character.
-    status = f_string_dynamic_increase_by((range->stop - range->start) + 3, destination);
+    status = f_string_dynamic_increase_by((range->stop - range->start) + 4, destination);
     if (F_status_is_error(status)) return status;
 
     const f_array_length_t used_start = destination->used;
@@ -784,7 +784,7 @@ extern "C" {
     }
 
     // Ensure that there is room for a slash delimit and possibly the end of content characters.
-    status = f_string_dynamic_increase_by((range->stop - range->start) + 3, destination);
+    status = f_string_dynamic_increase_by((range->stop - range->start) + 4, destination);
     if (F_status_is_error(status)) return status;
 
     const f_array_length_t used_start = destination->used;
diff --git a/level_1/fl_fss/c/private-fss.c b/level_1/fl_fss/c/private-fss.c
index 7da2ef0..cd90c51 100644
--- a/level_1/fl_fss/c/private-fss.c
+++ b/level_1/fl_fss/c/private-fss.c
@@ -856,7 +856,7 @@ extern "C" {
     }
 
     // Ensure that there is room for the potential start and stop quotes, a potential delimit at start, and the potential object open character.
-    status = f_string_dynamic_increase_by((range->stop - range->start) + 4, destination);
+    status = f_string_dynamic_increase_by((range->stop - range->start) + 5, destination);
     if (F_status_is_error(status)) return status;
 
     const f_array_length_t input_start = range->start;