artulab
projects / openbsd / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 753a1ad)
Add missing length checks to make sure we don't dereference a pointer
authormillert <millert@openbsd.org>
Fri, 8 Dec 2017 17:26:42 +0000 (17:26 +0000)
committermillert <millert@openbsd.org>
Fri, 8 Dec 2017 17:26:42 +0000 (17:26 +0000)
past the mmap(2)'d buffer.  Otherwise, locate will read a single
byte past the end of the buffer.  This is often harmless, but if
the length of the buffer is an even multiple of the page size,
locate will crash.  OK tb@ espie@ deraadt@

usr.bin/locate/locate/fastfind.c patch | blob | history

diff --git a/usr.bin/locate/locate/fastfind.c b/usr.bin/locate/locate/fastfind.c
index 427f4a7..7627aa7 100644 (file)
--- a/usr.bin/locate/locate/fastfind.c
+++ b/usr.bin/locate/locate/fastfind.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: fastfind.c,v 1.13 2015/10/23 07:57:03 tedu Exp $      */
+/*     $OpenBSD: fastfind.c,v 1.14 2017/12/08 17:26:42 millert Exp $   */
 
 /*
  * Copyright (c) 1995 Wolfram Schneider <wosch@FreeBSD.org>. Berlin.
@@ -32,7 +32,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * $Id: fastfind.c,v 1.13 2015/10/23 07:57:03 tedu Exp $
+ * $Id: fastfind.c,v 1.14 2017/12/08 17:26:42 millert Exp $
  */
 
 #ifndef _LOCATE_STATISTIC_
@@ -173,6 +173,8 @@ fastfind_mmap
 
                /* go forward or backward */
                if (c == SWITCH) { /* big step, an integer */
+                       if (len < INTSIZE)
+                               break;
                        count += getwm(paddr) - OFFSET;
                        len -= INTSIZE; paddr += INTSIZE;
                } else {           /* slow step, =< 14 chars */
@@ -184,7 +186,7 @@ fastfind_mmap
                p = path + count;
                foundchar = p - 1;
 
-               for (;;) {
+               for (; len > 0; ) {
                        c = (u_char)*paddr++;
                        len--;
                        /*
@@ -197,7 +199,7 @@ fastfind_mmap
                         */
                        if (c < PARITY) {
                                if (c <= UMLAUT) {
-                                       if (c == UMLAUT) {
+                                       if (c == UMLAUT && len > 0) {
                                                c = (u_char)*paddr++;
                                                len--;
 
OpenBSD src
by Ahmet Artu Yildirim