From bddf82bf4609db5e5a94bb45c86bfeaf3139ade8 Mon Sep 17 00:00:00 2001 From: Kevin Day Date: Thu, 6 May 2021 19:09:32 -0500 Subject: [PATCH] Security: FSS Read functions should check range before buffer. The range may have exceeded the buffer or the stop point. There is a string test that happens before this is checked. If this string is checked with an out of range address, then a segfault could occur. --- level_1/fl_fss/c/fss_embedded_list.c | 7 ++----- level_1/fl_fss/c/fss_extended_list.c | 2 ++ 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/level_1/fl_fss/c/fss_embedded_list.c b/level_1/fl_fss/c/fss_embedded_list.c index 90906fb..a6b7b14 100644 --- a/level_1/fl_fss/c/fss_embedded_list.c +++ b/level_1/fl_fss/c/fss_embedded_list.c @@ -1108,10 +1108,7 @@ extern "C" { status = f_fss_skip_past_space(content, range); if (F_status_is_error(status)) break; - if (has_graph && content.string[range->start] == f_fss_embedded_list_close) { - // do nothing. - } - else if (content.string[range->start] == f_fss_eol || range->start >= content.used || range->start > range->stop) { + if (range->start >= content.used || range->start > range->stop || content.string[range->start] == f_fss_eol) { // increase by total slashes + 1 embedded list open/close. status = f_string_dynamic_increase_by(slash_count + 2, destination); @@ -1171,7 +1168,7 @@ extern "C" { status = f_fss_skip_past_space(content, range); if (F_status_is_error(status)) break; - if (content.string[range->start] == f_fss_eol || range->start >= content.used || range->start > range->stop) { + if (range->start >= content.used || range->start > range->stop || content.string[range->start] == f_fss_eol) { if (content.string[range->start] == f_fss_eol) { do_prepend = F_true; diff --git a/level_1/fl_fss/c/fss_extended_list.c b/level_1/fl_fss/c/fss_extended_list.c index 78fc523..cc7461f 100644 --- a/level_1/fl_fss/c/fss_extended_list.c +++ b/level_1/fl_fss/c/fss_extended_list.c @@ -291,6 +291,8 @@ extern "C" { continue; } + if (status == F_none_eos || status == F_none_stop) break; + if (buffer.string[range->start] == f_fss_delimit_slash) { slash_first = range->start; slash_count = 1; -- 1.8.3.1