Files
2025-12-17 11:45:21 +05:30

55 lines
2.3 KiB
Diff

From d47a37a6186d98c6db308d467f822c438972bdbc Mon Sep 17 00:00:00 2001
From: Christopher Wellons <wellons@nullprogram.com>
Date: Sat, 17 Feb 2024 15:32:25 -0500
Subject: [PATCH] Fix a few more stack buffer overflows
Several overflows may occur in switch case '[' when the input pattern
contains many escaped characters. The added backslashes leave too little
space in the output pattern when processing nested brackets such that
the remaining input length exceeds the output capacity. Therefore all
these concatenations must also be checked.
The ADD_CHAR was missed in 41281ea (#87). The switch can exit exactly at
capacity, leaving no room for the finishing '$', causing an overflow.
These overflows were discovered through fuzz testing with afl.
CVE: CVE-2024-53849
Upstream-Status: Backport [https://github.com/editorconfig/editorconfig-core-c/commit/fca7cf19e0fb800c2d38f173c1f69ad40bf2a2f5]
(cherry picked from commit fca7cf19e0fb800c2d38f173c1f69ad40bf2a2f5)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
src/lib/ec_glob.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/src/lib/ec_glob.c b/src/lib/ec_glob.c
index ea62aee..e62af1f 100644
--- a/src/lib/ec_glob.c
+++ b/src/lib/ec_glob.c
@@ -192,10 +192,14 @@ int ec_glob(const char *pattern, const char *string)
if (!right_bracket) /* The right bracket may not exist */
right_bracket = c + strlen(c);
- strcat(p_pcre, "\\");
+ STRING_CAT(p_pcre, "\\", pcre_str_end);
+ /* Boundary check for strncat below. */
+ if (pcre_str_end - p_pcre <= right_bracket - c) {
+ return -1;
+ }
strncat(p_pcre, c, right_bracket - c);
if (*right_bracket) /* right_bracket is a bracket */
- strcat(p_pcre, "\\]");
+ STRING_CAT(p_pcre, "\\]", pcre_str_end);
p_pcre += strlen(p_pcre);
c = right_bracket;
if (!*c)
@@ -339,7 +343,7 @@ int ec_glob(const char *pattern, const char *string)
}
}
- *(p_pcre ++) = '$';
+ ADD_CHAR(p_pcre, '$', pcre_str_end);
pcre2_code_free(re); /* ^\\d+\\.\\.\\d+$ */