From 8de95bdd5a1ccb9ac1e3c7873f3e075fb8a57b8c Mon Sep 17 00:00:00 2001 From: Kevin Day Date: Fri, 9 Aug 2024 22:17:01 -0500 Subject: [PATCH] Security: Missing range checks on comment processing, handling missed spots. I failed to perform all of the changes when I backported commit 27c0bbafc2c0f3ae49c0e45297a2dc9f82c11221 via commit 1898cbbc7e92dfafb1e2fa3538284442e21c3879. The while loop is being checked for the comments length. The if condition immediately outside that is not being checked. This check is being performed in the original commit that I backported from. This is simply a backporting oversight. --- level_3/fss_basic_list_read/c/private-read.c | 4 ++-- level_3/fss_extended_list_read/c/private-read.c | 4 ++-- level_3/fss_payload_read/c/private-read.c | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/level_3/fss_basic_list_read/c/private-read.c b/level_3/fss_basic_list_read/c/private-read.c index cd668bc..d063132 100644 --- a/level_3/fss_basic_list_read/c/private-read.c +++ b/level_3/fss_basic_list_read/c/private-read.c @@ -508,7 +508,7 @@ extern "C" { if (j < data->comments.used) { while (j < data->comments.used && data->comments.array[j].stop < i) ++j; - if (i >= data->comments.array[j].start && i <= data->comments.array[j].stop) { + if (j < data->comments.used && i >= data->comments.array[j].start && i <= data->comments.array[j].stop) { i = data->comments.array[j++].stop; continue; @@ -775,7 +775,7 @@ extern "C" { if (j < data->comments.used) { while (j < data->comments.used && data->comments.array[j].stop < i) ++j; - if (i >= data->comments.array[j].start && i <= data->comments.array[j].stop) { + if (j < data->comments.used && i >= data->comments.array[j].start && i <= data->comments.array[j].stop) { i = data->comments.array[j++].stop; continue; diff --git a/level_3/fss_extended_list_read/c/private-read.c b/level_3/fss_extended_list_read/c/private-read.c index 1c04e94..37bd96d 100644 --- a/level_3/fss_extended_list_read/c/private-read.c +++ b/level_3/fss_extended_list_read/c/private-read.c @@ -514,7 +514,7 @@ extern "C" { if (j < data->comments.used) { while (j < data->comments.used && data->comments.array[j].stop < i) ++j; - if (i >= data->comments.array[j].start && i <= data->comments.array[j].stop) { + if (j < data->comments.used && i >= data->comments.array[j].start && i <= data->comments.array[j].stop) { i = data->comments.array[j++].stop; continue; @@ -781,7 +781,7 @@ extern "C" { if (j < data->comments.used) { while (j < data->comments.used && data->comments.array[j].stop < i) ++j; - if (i >= data->comments.array[j].start && i <= data->comments.array[j].stop) { + if (j < data->comments.used && i >= data->comments.array[j].start && i <= data->comments.array[j].stop) { i = data->comments.array[j++].stop; continue; diff --git a/level_3/fss_payload_read/c/private-read.c b/level_3/fss_payload_read/c/private-read.c index 29a558a..7926f09 100644 --- a/level_3/fss_payload_read/c/private-read.c +++ b/level_3/fss_payload_read/c/private-read.c @@ -736,7 +736,7 @@ extern "C" { if (j < data->comments.used) { while (j < data->comments.used && data->comments.array[j].stop < i) ++j; - if (i >= data->comments.array[j].start && i <= data->comments.array[j].stop) { + if (j < data->comments.used && i >= data->comments.array[j].start && i <= data->comments.array[j].stop) { i = data->comments.array[j++].stop; continue; @@ -1121,7 +1121,7 @@ extern "C" { if (j < data->comments.used) { while (j < data->comments.used && data->comments.array[j].stop < i) ++j; - if (i >= data->comments.array[j].start && i <= data->comments.array[j].stop) { + if (j < data->comments.used && i >= data->comments.array[j].start && i <= data->comments.array[j].stop) { i = data->comments.array[j++].stop; continue; -- 1.8.3.1