From bbdd7acd88cf00b1c03386352afcdc04c8a2fb0f Mon Sep 17 00:00:00 2001 From: Kevin Day Date: Wed, 30 Mar 2022 19:06:18 -0500 Subject: [PATCH] Security: Invalid write in FSS processing functions due to improper allocation size. The start and stop ranges are inclusive. This means that the size is (stop - start) + 1. The problems happens where the code is adding additional digits to represent end of line or other special characters. When this is added, I seem to have forgotten to add the additional numbers to the + 1 and instead replaced the + 1. This results in the size being potentially short by a single character and thus an invalid write is possible. --- level_1/fl_fss/c/fss/basic.c | 2 +- level_1/fl_fss/c/fss/basic_list.c | 4 ++-- level_1/fl_fss/c/fss/embedded_list.c | 4 ++-- level_1/fl_fss/c/fss/extended_list.c | 4 ++-- level_1/fl_fss/c/private-fss.c | 2 +- 5 files changed, 8 insertions(+), 8 deletions(-) diff --git a/level_1/fl_fss/c/fss/basic.c b/level_1/fl_fss/c/fss/basic.c index ec38918..d47e02e 100644 --- a/level_1/fl_fss/c/fss/basic.c +++ b/level_1/fl_fss/c/fss/basic.c @@ -181,7 +181,7 @@ extern "C" { } // Ensure that there is room for the potential terminating newline. - status = f_string_dynamic_increase_by((range->stop - range->start) + 1, destination); + status = f_string_dynamic_increase_by((range->stop - range->start) + 2, destination); if (F_status_is_error(status)) return status; const f_array_length_t destination_used = destination->used; diff --git a/level_1/fl_fss/c/fss/basic_list.c b/level_1/fl_fss/c/fss/basic_list.c index 0617ff1..28ded15 100644 --- a/level_1/fl_fss/c/fss/basic_list.c +++ b/level_1/fl_fss/c/fss/basic_list.c @@ -585,7 +585,7 @@ extern "C" { } // Ensure that there is room for a slash delimit, the object open character, and the end of line character. - status = f_string_dynamic_increase_by((range->stop - range->start) + 3, destination); + status = f_string_dynamic_increase_by((range->stop - range->start) + 4, destination); if (F_status_is_error(status)) return status; const f_array_length_t used_start = destination->used; @@ -799,7 +799,7 @@ extern "C" { } // Ensure that there is room for a slash delimit and possibly the end of content character. - status = f_string_dynamic_increase_by((range->stop - range->start) + 2, destination); + status = f_string_dynamic_increase_by((range->stop - range->start) + 3, destination); if (F_status_is_error(status)) return status; const f_array_length_t used_start = destination->used; diff --git a/level_1/fl_fss/c/fss/embedded_list.c b/level_1/fl_fss/c/fss/embedded_list.c index fd66083..c8fe8d2 100644 --- a/level_1/fl_fss/c/fss/embedded_list.c +++ b/level_1/fl_fss/c/fss/embedded_list.c @@ -1001,7 +1001,7 @@ extern "C" { } // Ensure that there is room for a slash delimit, the object open character, and the end of line character. - status = f_string_dynamic_increase_by((range->stop - range->start) + 3, destination); + status = f_string_dynamic_increase_by((range->stop - range->start) + 4, destination); if (F_status_is_error(status)) return status; const f_array_length_t used_start = destination->used; @@ -1237,7 +1237,7 @@ extern "C" { } // Ensure that there is room for a slash delimit and possibly the end of content characters. - status = f_string_dynamic_increase_by((range->stop - range->start) + 3, destination); + status = f_string_dynamic_increase_by((range->stop - range->start) + 4, destination); if (F_status_is_error(status)) return status; const f_array_length_t used_start = destination->used; diff --git a/level_1/fl_fss/c/fss/extended_list.c b/level_1/fl_fss/c/fss/extended_list.c index 6c93dc8..33d8b34 100644 --- a/level_1/fl_fss/c/fss/extended_list.c +++ b/level_1/fl_fss/c/fss/extended_list.c @@ -548,7 +548,7 @@ extern "C" { } // Ensure that there is room for a slash delimit, the object open character, and the end of line character. - status = f_string_dynamic_increase_by((range->stop - range->start) + 3, destination); + status = f_string_dynamic_increase_by((range->stop - range->start) + 4, destination); if (F_status_is_error(status)) return status; const f_array_length_t used_start = destination->used; @@ -784,7 +784,7 @@ extern "C" { } // Ensure that there is room for a slash delimit and possibly the end of content characters. - status = f_string_dynamic_increase_by((range->stop - range->start) + 3, destination); + status = f_string_dynamic_increase_by((range->stop - range->start) + 4, destination); if (F_status_is_error(status)) return status; const f_array_length_t used_start = destination->used; diff --git a/level_1/fl_fss/c/private-fss.c b/level_1/fl_fss/c/private-fss.c index 7da2ef0..cd90c51 100644 --- a/level_1/fl_fss/c/private-fss.c +++ b/level_1/fl_fss/c/private-fss.c @@ -856,7 +856,7 @@ extern "C" { } // Ensure that there is room for the potential start and stop quotes, a potential delimit at start, and the potential object open character. - status = f_string_dynamic_increase_by((range->stop - range->start) + 4, destination); + status = f_string_dynamic_increase_by((range->stop - range->start) + 5, destination); if (F_status_is_error(status)) return status; const f_array_length_t input_start = range->start; -- 1.8.3.1