mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-07-16 04:17:25 +00:00
1c7b69ee0b
Details https://nvd.nist.gov/vuln/detail/CVE-2024-53849 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
55 lines
2.3 KiB
Diff
55 lines
2.3 KiB
Diff
From d47a37a6186d98c6db308d467f822c438972bdbc Mon Sep 17 00:00:00 2001
|
|
From: Christopher Wellons <wellons@nullprogram.com>
|
|
Date: Sat, 17 Feb 2024 15:32:25 -0500
|
|
Subject: [PATCH] Fix a few more stack buffer overflows
|
|
|
|
Several overflows may occur in switch case '[' when the input pattern
|
|
contains many escaped characters. The added backslashes leave too little
|
|
space in the output pattern when processing nested brackets such that
|
|
the remaining input length exceeds the output capacity. Therefore all
|
|
these concatenations must also be checked.
|
|
|
|
The ADD_CHAR was missed in 41281ea (#87). The switch can exit exactly at
|
|
capacity, leaving no room for the finishing '$', causing an overflow.
|
|
|
|
These overflows were discovered through fuzz testing with afl.
|
|
|
|
CVE: CVE-2024-53849
|
|
Upstream-Status: Backport [https://github.com/editorconfig/editorconfig-core-c/commit/fca7cf19e0fb800c2d38f173c1f69ad40bf2a2f5]
|
|
(cherry picked from commit fca7cf19e0fb800c2d38f173c1f69ad40bf2a2f5)
|
|
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
|
|
---
|
|
src/lib/ec_glob.c | 10 +++++++---
|
|
1 file changed, 7 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/src/lib/ec_glob.c b/src/lib/ec_glob.c
|
|
index ea62aee..e62af1f 100644
|
|
--- a/src/lib/ec_glob.c
|
|
+++ b/src/lib/ec_glob.c
|
|
@@ -192,10 +192,14 @@ int ec_glob(const char *pattern, const char *string)
|
|
if (!right_bracket) /* The right bracket may not exist */
|
|
right_bracket = c + strlen(c);
|
|
|
|
- strcat(p_pcre, "\\");
|
|
+ STRING_CAT(p_pcre, "\\", pcre_str_end);
|
|
+ /* Boundary check for strncat below. */
|
|
+ if (pcre_str_end - p_pcre <= right_bracket - c) {
|
|
+ return -1;
|
|
+ }
|
|
strncat(p_pcre, c, right_bracket - c);
|
|
if (*right_bracket) /* right_bracket is a bracket */
|
|
- strcat(p_pcre, "\\]");
|
|
+ STRING_CAT(p_pcre, "\\]", pcre_str_end);
|
|
p_pcre += strlen(p_pcre);
|
|
c = right_bracket;
|
|
if (!*c)
|
|
@@ -339,7 +343,7 @@ int ec_glob(const char *pattern, const char *string)
|
|
}
|
|
}
|
|
|
|
- *(p_pcre ++) = '$';
|
|
+ ADD_CHAR(p_pcre, '$', pcre_str_end);
|
|
|
|
pcre2_code_free(re); /* ^\\d+\\.\\.\\d+$ */
|
|
|