libpkgconf: parser: fix out of boundary access

It is possible to trigger an out of boundary access with specially
crafted files. If a line consist of only a key and spaces, then
op will point to '\0'-ending of the buffer. Since p is iterated by
one byte right past this ending '\0', the next read access to p is
effectively out of bounds.

Theoretically this can also lead to out of boundary writes if spaces
are encountered.

Proof of concept (I recommend to compile with address sanitizer):

$ echo -n a > poc.pc
$ dd if=/dev/zero bs=1 count=65533 | tr '\0' ' ' >> poc.pc
$ pkgconf poc.pc
pull/199/head
Tobias Stoeckmann 2020-05-24 21:51:14 +02:00 committed by Ariadne Conill
parent bd4ed1ca02
commit 92745ad9cb
1 changed files with 5 additions and 2 deletions

View File

@ -66,8 +66,11 @@ pkgconf_parser_parse(FILE *f, void *data, const pkgconf_parser_operand_func_t *o
} }
op = *p; op = *p;
*p = '\0'; if (*p != '\0')
p++; {
*p = '\0';
p++;
}
while (*p && isspace((unsigned int)*p)) while (*p && isspace((unsigned int)*p))
p++; p++;