From 891cc370a65bc6ee11c864eeddca51dfc2fbfb97 Mon Sep 17 00:00:00 2001 From: Tobias Stoeckmann Date: Sun, 24 May 2020 23:13:19 +0200 Subject: [PATCH] libpkgconf: personality: fix out of boundary access It is possible to set the instruction pointer to undefined values by using an operator larger than ':' in ASCII. Since the personality function array does not have 256 entries, an invalid operator can overflow the array. Proof of concept: $ echo "a _ b" > poc $ ln -s $(which pkgconf) poc-pkgconf $ ./poc-pkgconf --- libpkgconf/personality.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libpkgconf/personality.c b/libpkgconf/personality.c index bbbbbf9..a39d2fd 100644 --- a/libpkgconf/personality.c +++ b/libpkgconf/personality.c @@ -168,7 +168,7 @@ personality_keyword_set(pkgconf_cross_personality_t *p, const size_t lineno, con pair->func(p, keyword, lineno, pair->offset, value); } -static const pkgconf_parser_operand_func_t personality_parser_ops[] = { +static const pkgconf_parser_operand_func_t personality_parser_ops[256] = { [':'] = (pkgconf_parser_operand_func_t) personality_keyword_set };