From 77969088e4a0f85fa310434c39414794816d8329 Mon Sep 17 00:00:00 2001 From: Kevin Day Date: Wed, 25 Jan 2023 18:56:04 -0600 Subject: [PATCH] Security: NULL pointer dereference in writer due to pipe function result handling. The GCC -fanalyzer parameter helped me discover this one. The status_pipe is being read and processed. There is a case where the status_pipe is being set but it is not being reset after handling. In a later loop the pipe does not get read but the previously set state is used bringing the code into a bad state. Then the loop doesn't do the block buffer used check and this results in the eventual NULL dereference. --- level_3/fss_write/c/payload/fss_write.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/level_3/fss_write/c/payload/fss_write.c b/level_3/fss_write/c/payload/fss_write.c index 53063a4..ab3a051 100644 --- a/level_3/fss_write/c/payload/fss_write.c +++ b/level_3/fss_write/c/payload/fss_write.c @@ -117,6 +117,7 @@ extern "C" { range.start = 0; range.stop = setting->block.used - 1; + status_pipe = F_none; } // Start Object. @@ -139,7 +140,7 @@ extern "C" { break; } - for (; range.start <= range.stop; ++range.start) { + for (; range.start <= range.stop && range.start < setting->block.used; ++range.start) { // Do not handle start/end while inside an ignore set. if (!(flag & 0x2)) { @@ -248,7 +249,7 @@ extern "C" { break; } - for (; range.start <= range.stop; ++range.start) { + for (; range.start <= range.stop && range.start < setting->block.used; ++range.start) { // Do not handle start/end while inside an ignore set. if (!(flag & 0x2)) { -- 1.8.3.1