From: millert Date: Fri, 8 Dec 2017 17:26:42 +0000 (+0000) Subject: Add missing length checks to make sure we don't dereference a pointer X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=e9d8d7c625b7a4a7dfb4fb170f64e802e7787c5e;p=openbsd Add missing length checks to make sure we don't dereference a pointer past the mmap(2)'d buffer. Otherwise, locate will read a single byte past the end of the buffer. This is often harmless, but if the length of the buffer is an even multiple of the page size, locate will crash. OK tb@ espie@ deraadt@ --- diff --git a/usr.bin/locate/locate/fastfind.c b/usr.bin/locate/locate/fastfind.c index 427f4a7a236..7627aa7d25f 100644 --- a/usr.bin/locate/locate/fastfind.c +++ b/usr.bin/locate/locate/fastfind.c @@ -1,4 +1,4 @@ -/* $OpenBSD: fastfind.c,v 1.13 2015/10/23 07:57:03 tedu Exp $ */ +/* $OpenBSD: fastfind.c,v 1.14 2017/12/08 17:26:42 millert Exp $ */ /* * Copyright (c) 1995 Wolfram Schneider . Berlin. @@ -32,7 +32,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: fastfind.c,v 1.13 2015/10/23 07:57:03 tedu Exp $ + * $Id: fastfind.c,v 1.14 2017/12/08 17:26:42 millert Exp $ */ #ifndef _LOCATE_STATISTIC_ @@ -173,6 +173,8 @@ fastfind_mmap /* go forward or backward */ if (c == SWITCH) { /* big step, an integer */ + if (len < INTSIZE) + break; count += getwm(paddr) - OFFSET; len -= INTSIZE; paddr += INTSIZE; } else { /* slow step, =< 14 chars */ @@ -184,7 +186,7 @@ fastfind_mmap p = path + count; foundchar = p - 1; - for (;;) { + for (; len > 0; ) { c = (u_char)*paddr++; len--; /* @@ -197,7 +199,7 @@ fastfind_mmap */ if (c < PARITY) { if (c <= UMLAUT) { - if (c == UMLAUT) { + if (c == UMLAUT && len > 0) { c = (u_char)*paddr++; len--;