From 8de95bdd5a1ccb9ac1e3c7873f3e075fb8a57b8c Mon Sep 17 00:00:00 2001 From: Kevin Day Date: Fri, 9 Aug 2024 22:17:01 -0500 Subject: [PATCH] Security: Missing range checks on comment processing, handling missed spots. I failed to perform all of the changes when I backported commit 27c0bbafc2c0f3ae49c0e45297a2dc9f82c11221 via commit 1898cbbc7e92dfafb1e2fa3538284442e21c3879. The while loop is being checked for the comments length. The if condition immediately outside that is not being checked. This check is being performed in the original commit that I backported from. This is simply a backporting oversight. --- level_3/fss_basic_list_read/c/private-read.c | 4 ++-- level_3/fss_extended_list_read/c/private-read.c | 4 ++-- level_3/fss_payload_read/c/private-read.c | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/level_3/fss_basic_list_read/c/private-read.c b/level_3/fss_basic_list_read/c/private-read.c index cd668bce3..d06313288 100644 --- a/level_3/fss_basic_list_read/c/private-read.c +++ b/level_3/fss_basic_list_read/c/private-read.c @@ -508,7 +508,7 @@ extern "C" { if (j < data->comments.used) { while (j < data->comments.used && data->comments.array[j].stop < i) ++j; - if (i >= data->comments.array[j].start && i <= data->comments.array[j].stop) { + if (j < data->comments.used && i >= data->comments.array[j].start && i <= data->comments.array[j].stop) { i = data->comments.array[j++].stop; continue; @@ -775,7 +775,7 @@ extern "C" { if (j < data->comments.used) { while (j < data->comments.used && data->comments.array[j].stop < i) ++j; - if (i >= data->comments.array[j].start && i <= data->comments.array[j].stop) { + if (j < data->comments.used && i >= data->comments.array[j].start && i <= data->comments.array[j].stop) { i = data->comments.array[j++].stop; continue; diff --git a/level_3/fss_extended_list_read/c/private-read.c b/level_3/fss_extended_list_read/c/private-read.c index 1c04e9450..37bd96da1 100644 --- a/level_3/fss_extended_list_read/c/private-read.c +++ b/level_3/fss_extended_list_read/c/private-read.c @@ -514,7 +514,7 @@ extern "C" { if (j < data->comments.used) { while (j < data->comments.used && data->comments.array[j].stop < i) ++j; - if (i >= data->comments.array[j].start && i <= data->comments.array[j].stop) { + if (j < data->comments.used && i >= data->comments.array[j].start && i <= data->comments.array[j].stop) { i = data->comments.array[j++].stop; continue; @@ -781,7 +781,7 @@ extern "C" { if (j < data->comments.used) { while (j < data->comments.used && data->comments.array[j].stop < i) ++j; - if (i >= data->comments.array[j].start && i <= data->comments.array[j].stop) { + if (j < data->comments.used && i >= data->comments.array[j].start && i <= data->comments.array[j].stop) { i = data->comments.array[j++].stop; continue; diff --git a/level_3/fss_payload_read/c/private-read.c b/level_3/fss_payload_read/c/private-read.c index 29a558a22..7926f0932 100644 --- a/level_3/fss_payload_read/c/private-read.c +++ b/level_3/fss_payload_read/c/private-read.c @@ -736,7 +736,7 @@ extern "C" { if (j < data->comments.used) { while (j < data->comments.used && data->comments.array[j].stop < i) ++j; - if (i >= data->comments.array[j].start && i <= data->comments.array[j].stop) { + if (j < data->comments.used && i >= data->comments.array[j].start && i <= data->comments.array[j].stop) { i = data->comments.array[j++].stop; continue; @@ -1121,7 +1121,7 @@ extern "C" { if (j < data->comments.used) { while (j < data->comments.used && data->comments.array[j].stop < i) ++j; - if (i >= data->comments.array[j].start && i <= data->comments.array[j].stop) { + if (j < data->comments.used && i >= data->comments.array[j].start && i <= data->comments.array[j].stop) { i = data->comments.array[j++].stop; continue; -- 2.47.3