From 92745ad9cb0404c5af097596300f6d26320a5581 Mon Sep 17 00:00:00 2001 From: Tobias Stoeckmann Date: Sun, 24 May 2020 21:51:14 +0200 Subject: [PATCH] libpkgconf: parser: fix out of boundary access It is possible to trigger an out of boundary access with specially crafted files. If a line consist of only a key and spaces, then op will point to '\0'-ending of the buffer. Since p is iterated by one byte right past this ending '\0', the next read access to p is effectively out of bounds. Theoretically this can also lead to out of boundary writes if spaces are encountered. Proof of concept (I recommend to compile with address sanitizer): $ echo -n a > poc.pc $ dd if=/dev/zero bs=1 count=65533 | tr '\0' ' ' >> poc.pc $ pkgconf poc.pc --- libpkgconf/parser.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libpkgconf/parser.c b/libpkgconf/parser.c index 17aa697..7ac9362 100644 --- a/libpkgconf/parser.c +++ b/libpkgconf/parser.c @@ -66,8 +66,11 @@ pkgconf_parser_parse(FILE *f, void *data, const pkgconf_parser_operand_func_t *o } op = *p; - *p = '\0'; - p++; + if (*p != '\0') + { + *p = '\0'; + p++; + } while (*p && isspace((unsigned int)*p)) p++;