From e9d8d7c625b7a4a7dfb4fb170f64e802e7787c5e Mon Sep 17 00:00:00 2001 From: millert Date: Fri, 8 Dec 2017 17:26:42 +0000 Subject: [PATCH] Add missing length checks to make sure we don't dereference a pointer past the mmap(2)'d buffer. Otherwise, locate will read a single byte past the end of the buffer. This is often harmless, but if the length of the buffer is an even multiple of the page size, locate will crash. OK tb@ espie@ deraadt@ --- usr.bin/locate/locate/fastfind.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/usr.bin/locate/locate/fastfind.c b/usr.bin/locate/locate/fastfind.c index 427f4a7a236..7627aa7d25f 100644 --- a/usr.bin/locate/locate/fastfind.c +++ b/usr.bin/locate/locate/fastfind.c @@ -1,4 +1,4 @@ -/* $OpenBSD: fastfind.c,v 1.13 2015/10/23 07:57:03 tedu Exp $ */ +/* $OpenBSD: fastfind.c,v 1.14 2017/12/08 17:26:42 millert Exp $ */ /* * Copyright (c) 1995 Wolfram Schneider . Berlin. @@ -32,7 +32,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: fastfind.c,v 1.13 2015/10/23 07:57:03 tedu Exp $ + * $Id: fastfind.c,v 1.14 2017/12/08 17:26:42 millert Exp $ */ #ifndef _LOCATE_STATISTIC_ @@ -173,6 +173,8 @@ fastfind_mmap /* go forward or backward */ if (c == SWITCH) { /* big step, an integer */ + if (len < INTSIZE) + break; count += getwm(paddr) - OFFSET; len -= INTSIZE; paddr += INTSIZE; } else { /* slow step, =< 14 chars */ @@ -184,7 +186,7 @@ fastfind_mmap p = path + count; foundchar = p - 1; - for (;;) { + for (; len > 0; ) { c = (u_char)*paddr++; len--; /* @@ -197,7 +199,7 @@ fastfind_mmap */ if (c < PARITY) { if (c <= UMLAUT) { - if (c == UMLAUT) { + if (c == UMLAUT && len > 0) { c = (u_char)*paddr++; len--; -- 2.20.1