From 8ac5af4bc4b6344442f11f35fdc48177ce570a13 Mon Sep 17 00:00:00 2001 From: Christopher Wellons Date: Sat, 17 Feb 2024 16:01:57 -0500 Subject: [PATCH] Fix pointer overflow in STRING_CAT The end pointer is positioned one past the end of the destination, and it is undefined behavior to compute an address beyond the end pointer, including for comparisons, even temporarily. The UB occurs exactly when buffer overflow would have occurred, so the buffer overflow check could be optimized away by compilers. Even if this wasn't the case, the check could produce a false negative if the computed address overflowed the address space, which is, after all, why the C standard doesn't define behavior in the first place. The fix is simple: Check using sizes, not addresses. The explicit cast suppresses warnings about signed-unsigned comparisons, and the assertion checks the cast. CVE: CVE-2024-53849 Upstream-Status: Backport [https://github.com/editorconfig/editorconfig-core-c/commit/4d5518a0a4e4910c37281ab13a048d0d86999782] (cherry picked from commit 4d5518a0a4e4910c37281ab13a048d0d86999782) Signed-off-by: Ankur Tyagi --- src/lib/ec_glob.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/lib/ec_glob.c b/src/lib/ec_glob.c index e62af1f..c2b83cf 100644 --- a/src/lib/ec_glob.c +++ b/src/lib/ec_glob.c @@ -27,6 +27,7 @@ #include "global.h" +#include #include #include #include @@ -51,7 +52,8 @@ static const UT_icd ut_int_pair_icd = {sizeof(int_pair),NULL,NULL,NULL}; /* concatenate the string then move the pointer to the end */ #define STRING_CAT(p, string, end) do { \ size_t string_len = strlen(string); \ - if (p + string_len >= end) \ + assert(end > p); \ + if (string_len >= (size_t)(end - p)) \ return -1; \ strcat(p, string); \ p += string_len; \