From 1898cbbc7e92dfafb1e2fa3538284442e21c3879 Mon Sep 17 00:00:00 2001 From: Kevin Day Date: Mon, 5 Aug 2024 23:17:59 -0500 Subject: [PATCH] Security: Missing range checks on comment processing. This is a back port of the fixes for problem discovered in the 0.7 branch. The 0.7 program fss_payload_read exposed this issue. This issue affects multiple programs in the 0.6 branch. The fss_payload_read such as the runtime test is wrong: # fss_payload_read -ocn payload level_3/fss_read/tests/runtime/fss_000e/source/test-0002-mixed.fss -t The output is 1 but should instead be 4. # fss_payload_read -ocn payload level_3/fss_read/tests/runtime/fss_000e/source/test-0002-mixed.fss | wc -l Investigating this problem revealed that the comment handling code is failing to perform a range check. The overflow is causing the stop range to point to some random memory address which is almost always larger than the file. This results in the count being wrong. This bug is a security concern. Add the range check in all places where this range check is missing for the comments. --- level_3/fss_basic_list_read/c/private-read.c | 4 ++-- level_3/fss_extended_list_read/c/private-read.c | 4 ++-- level_3/fss_payload_read/c/private-read.c | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/level_3/fss_basic_list_read/c/private-read.c b/level_3/fss_basic_list_read/c/private-read.c index cd06c1a..cd668bc 100644 --- a/level_3/fss_basic_list_read/c/private-read.c +++ b/level_3/fss_basic_list_read/c/private-read.c @@ -506,7 +506,7 @@ extern "C" { } if (j < data->comments.used) { - while (data->comments.array[j].stop < i) ++j; + while (j < data->comments.used && data->comments.array[j].stop < i) ++j; if (i >= data->comments.array[j].start && i <= data->comments.array[j].stop) { i = data->comments.array[j++].stop; @@ -773,7 +773,7 @@ extern "C" { for (i = range.start; i <= range.stop; ++i) { if (j < data->comments.used) { - while (data->comments.array[j].stop < i) ++j; + while (j < data->comments.used && data->comments.array[j].stop < i) ++j; if (i >= data->comments.array[j].start && i <= data->comments.array[j].stop) { i = data->comments.array[j++].stop; diff --git a/level_3/fss_extended_list_read/c/private-read.c b/level_3/fss_extended_list_read/c/private-read.c index 417355f..1c04e94 100644 --- a/level_3/fss_extended_list_read/c/private-read.c +++ b/level_3/fss_extended_list_read/c/private-read.c @@ -512,7 +512,7 @@ extern "C" { for (i = range.start; i <= range.stop; ++i) { if (j < data->comments.used) { - while (data->comments.array[j].stop < i) ++j; + while (j < data->comments.used && data->comments.array[j].stop < i) ++j; if (i >= data->comments.array[j].start && i <= data->comments.array[j].stop) { i = data->comments.array[j++].stop; @@ -779,7 +779,7 @@ extern "C" { for (i = range.start; i <= range.stop; ++i) { if (j < data->comments.used) { - while (data->comments.array[j].stop < i) ++j; + while (j < data->comments.used && data->comments.array[j].stop < i) ++j; if (i >= data->comments.array[j].start && i <= data->comments.array[j].stop) { i = data->comments.array[j++].stop; diff --git a/level_3/fss_payload_read/c/private-read.c b/level_3/fss_payload_read/c/private-read.c index 031a89a..29a558a 100644 --- a/level_3/fss_payload_read/c/private-read.c +++ b/level_3/fss_payload_read/c/private-read.c @@ -734,7 +734,7 @@ extern "C" { } if (j < data->comments.used) { - while (data->comments.array[j].stop < i) ++j; + while (j < data->comments.used && data->comments.array[j].stop < i) ++j; if (i >= data->comments.array[j].start && i <= data->comments.array[j].stop) { i = data->comments.array[j++].stop; @@ -1119,7 +1119,7 @@ extern "C" { for (i = range.start; i <= range.stop; ++i) { if (j < data->comments.used) { - while (data->comments.array[j].stop < i) ++j; + while (j < data->comments.used && data->comments.array[j].stop < i) ++j; if (i >= data->comments.array[j].start && i <= data->comments.array[j].stop) { i = data->comments.array[j++].stop; -- 1.8.3.1