From: Kevin Day <thekevinday@gmail.com>
Date: Fri, 7 May 2021 00:09:32 +0000 (-0500)
Subject: Security: FSS Read functions should check range before buffer.
X-Git-Tag: 0.5.4~43
X-Git-Url: https://git.kevux.org/?a=commitdiff_plain;h=bddf82bf4609db5e5a94bb45c86bfeaf3139ade8;p=fll

Security: FSS Read functions should check range before buffer.

The range may have exceeded the buffer or the stop point.
There is a string test that happens before this is checked.
If this string is checked with an out of range address, then a segfault could occur.
---

diff --git a/level_1/fl_fss/c/fss_embedded_list.c b/level_1/fl_fss/c/fss_embedded_list.c
index 90906fb..a6b7b14 100644
--- a/level_1/fl_fss/c/fss_embedded_list.c
+++ b/level_1/fl_fss/c/fss_embedded_list.c
@@ -1108,10 +1108,7 @@ extern "C" {
           status = f_fss_skip_past_space(content, range);
           if (F_status_is_error(status)) break;
 
-          if (has_graph && content.string[range->start] == f_fss_embedded_list_close) {
-            // do nothing.
-          }
-          else if (content.string[range->start] == f_fss_eol || range->start >= content.used || range->start > range->stop) {
+          if (range->start >= content.used || range->start > range->stop || content.string[range->start] == f_fss_eol) {
 
             // increase by total slashes + 1 embedded list open/close.
             status = f_string_dynamic_increase_by(slash_count + 2, destination);
@@ -1171,7 +1168,7 @@ extern "C" {
         status = f_fss_skip_past_space(content, range);
         if (F_status_is_error(status)) break;
 
-        if (content.string[range->start] == f_fss_eol || range->start >= content.used || range->start > range->stop) {
+        if (range->start >= content.used || range->start > range->stop || content.string[range->start] == f_fss_eol) {
 
           if (content.string[range->start] == f_fss_eol) {
             do_prepend = F_true;
diff --git a/level_1/fl_fss/c/fss_extended_list.c b/level_1/fl_fss/c/fss_extended_list.c
index 78fc523..cc7461f 100644
--- a/level_1/fl_fss/c/fss_extended_list.c
+++ b/level_1/fl_fss/c/fss_extended_list.c
@@ -291,6 +291,8 @@ extern "C" {
         continue;
       }
 
+      if (status == F_none_eos || status == F_none_stop) break;
+
       if (buffer.string[range->start] == f_fss_delimit_slash) {
         slash_first = range->start;
         slash_count = 1;