From f5097579718dde4eb0dda61abc8e963ffa646238 Mon Sep 17 00:00:00 2001 From: Kevin Day Date: Sun, 10 Jul 2022 21:45:33 -0500 Subject: [PATCH] Security: Invalid read for formatted printing using partial ranges on a string. If the start position is greater than the used buffer, then an invalid read occurs. Properly verify that the start position is not greater than or equal to the used length of the string. --- level_1/fl_print/c/private-print.c | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/level_1/fl_print/c/private-print.c b/level_1/fl_print/c/private-print.c index 7b82dcc..59247fc 100644 --- a/level_1/fl_print/c/private-print.c +++ b/level_1/fl_print/c/private-print.c @@ -327,7 +327,7 @@ extern "C" { except_in = va_arg(apl, f_string_ranges_t); } - if (partial.start > partial.stop) { + if (partial.start > partial.stop || partial.start >= value.used) { *status = F_data_not; break; @@ -350,7 +350,7 @@ extern "C" { const f_array_lengths_t except_at = f_array_lengths_t_initialize; const f_string_ranges_t except_in = va_arg(apl, f_string_ranges_t); - if (partial.start > partial.stop) { + if (partial.start > partial.stop || partial.start >= value.used) { *status = F_data_not; break; @@ -370,7 +370,7 @@ extern "C" { } } else { - if (partial.start > partial.stop) { + if (partial.start > partial.stop || partial.start >= value.used) { *status = F_data_not; break; @@ -441,7 +441,7 @@ extern "C" { except_in = va_arg(apl, f_string_ranges_t); } - if (partial.start > partial.stop) { + if (partial.start > partial.stop || partial.start >= value.used) { *status = F_data_not; break; @@ -464,7 +464,7 @@ extern "C" { const f_array_lengths_t except_at = f_array_lengths_t_initialize; const f_string_ranges_t except_in = va_arg(apl, f_string_ranges_t); - if (partial.start > partial.stop) { + if (partial.start > partial.stop || partial.start >= value.used) { *status = F_data_not; break; @@ -484,7 +484,7 @@ extern "C" { } } else { - if (partial.start > partial.stop) { + if (partial.start > partial.stop || partial.start >= value.used) { *status = F_data_not; break; @@ -719,7 +719,7 @@ extern "C" { except_in = va_arg(apl, f_string_ranges_t); } - if (partial.start > partial.stop) { + if (partial.start > partial.stop || partial.start >= value.used) { *status = F_data_not; break; @@ -742,7 +742,7 @@ extern "C" { const f_array_lengths_t except_at = f_array_lengths_t_initialize; const f_string_ranges_t except_in = va_arg(apl, f_string_ranges_t); - if (partial.start > partial.stop) { + if (partial.start > partial.stop || partial.start >= value.used) { *status = F_data_not; break; @@ -762,7 +762,7 @@ extern "C" { } } else { - if (partial.start > partial.stop) { + if (partial.start > partial.stop || partial.start >= value.used) { *status = F_data_not; break; @@ -840,7 +840,7 @@ extern "C" { except_in = va_arg(apl, f_string_ranges_t); } - if (partial.start > partial.stop) { + if (partial.start > partial.stop || partial.start >= value.used) { *status = F_data_not; break; @@ -863,7 +863,7 @@ extern "C" { const f_array_lengths_t except_at = f_array_lengths_t_initialize; const f_string_ranges_t except_in = va_arg(apl, f_string_ranges_t); - if (partial.start > partial.stop) { + if (partial.start > partial.stop || partial.start >= value.used) { *status = F_data_not; break; @@ -883,7 +883,7 @@ extern "C" { } } else { - if (partial.start > partial.stop) { + if (partial.start > partial.stop || partial.start >= value.used) { *status = F_data_not; break; -- 1.8.3.1