From bc2fa2d9d39bd0a630d2a3f781fcc84ec0651ee5 Mon Sep 17 00:00:00 2001 From: Kevin Day Date: Wed, 11 Sep 2024 17:32:38 -0500 Subject: [PATCH] Security: Changes to f_memory_array_increase() API causes invalid memory access. This is a security related regression. The `f_memory_array_increase()` has been changed to only guarantee that at least 1 element is increased if not available. The code is Controller is depending on the old behavior where the allocation step is guaranteed. The new behavior of `f_memory_array_increase()` performs additional steps to prevent memory abuse which in tern causes the first allocation to only consist of a single element. Use instead `f_memory_array_resize()` if the size is too small. In another case, instead use `f_memory_array_increase_by()` to ensure that the increase is at least 2 elements. --- sources/c/program/controller/main/entry/preprocess.c | 10 ++++++---- sources/c/program/controller/main/entry/process.c | 14 ++++++++------ 2 files changed, 14 insertions(+), 10 deletions(-) diff --git a/sources/c/program/controller/main/entry/preprocess.c b/sources/c/program/controller/main/entry/preprocess.c index c61301e..29a50ad 100644 --- a/sources/c/program/controller/main/entry/preprocess.c +++ b/sources/c/program/controller/main/entry/preprocess.c @@ -32,12 +32,14 @@ extern "C" { cache->action.name_action.used = 0; cache->action.name_item.used = 0; - status = f_memory_array_increase(controller_allocation_small_d, sizeof(f_number_unsigned_t), (void **) &cache->ats.array, &cache->ats.used, &cache->ats.size); + if (cache->ats.size < 2) { + status = f_memory_array_resize(2, sizeof(f_number_unsigned_t), (void **) &cache->ats.array, &cache->ats.used, &cache->ats.size); - if (F_status_is_error(status)) { - controller_print_error_entry(&main->program.error, is_entry, F_status_set_fine(status), macro_controller_f(f_memory_array_increase), F_true); + if (F_status_is_error(status)) { + controller_print_error_entry(&main->program.error, is_entry, F_status_set_fine(status), macro_controller_f(f_memory_array_resize), F_true); - return status; + return status; + } } // Utilize the ats cache as an item execution stack (at_i is for item index, and at_j (at_i + 1) is for Action index). diff --git a/sources/c/program/controller/main/entry/process.c b/sources/c/program/controller/main/entry/process.c index 47fe4dd..5ddebb2 100644 --- a/sources/c/program/controller/main/entry/process.c +++ b/sources/c/program/controller/main/entry/process.c @@ -32,12 +32,14 @@ extern "C" { cache->action.name_action.used = 0; cache->action.name_item.used = 0; - status = f_memory_array_increase(controller_allocation_small_d, sizeof(f_number_unsigned_t), (void **) &cache->ats.array, &cache->ats.used, &cache->ats.size); + if (cache->ats.size < 2) { + status = f_memory_array_resize(2, sizeof(f_number_unsigned_t), (void **) &cache->ats.array, &cache->ats.used, &cache->ats.size); - if (F_status_is_error(status)) { - controller_print_error_entry(&main->program.error, is_entry, F_status_set_fine(status), macro_controller_f(f_memory_array_increase), F_true); + if (F_status_is_error(status)) { + controller_print_error_entry(&main->program.error, is_entry, F_status_set_fine(status), macro_controller_f(f_memory_array_resize), F_true); - return status; + return status; + } } // Utilize the "ats" cache as an item execution stack (at_i is for item index, and at_j (at_i + 1) is for Action index). @@ -145,10 +147,10 @@ extern "C" { return F_status_is_error(F_critical); } - status = f_memory_array_increase(controller_allocation_small_d, sizeof(f_number_unsigned_t), (void **) &cache->ats.array, &cache->ats.used, &cache->ats.size); + status = f_memory_array_increase_by(2, sizeof(f_number_unsigned_t), (void **) &cache->ats.array, &cache->ats.used, &cache->ats.size); if (F_status_is_error(status)) { - controller_print_error_entry(&main->program.error, is_entry, F_status_set_fine(status), macro_controller_f(f_memory_array_increase), F_true); + controller_print_error_entry(&main->program.error, is_entry, F_status_set_fine(status), macro_controller_f(f_memory_array_increase_by), F_true); return status; } -- 1.8.3.1