ariadne
/
pkgconf
3
6
Fork 4
Code Issues 6 Pull Requests 2 Projects Releases 2 Wiki Activity

libpkgconf: personality: fix out of boundary access 

It is possible to set the instruction pointer to undefined values by
using an operator larger than ':' in ASCII.

Since the personality function array does not have 256 entries, an
invalid operator can overflow the array.

Proof of concept:

$ echo "a _ b" > poc
$ ln -s $(which pkgconf) poc-pkgconf
$ ./poc-pkgconf
pull/199/head
Tobias Stoeckmann 2020-05-24 23:13:19 +02:00 committed by Ariadne Conill
parent dd57abfe9f
commit 9e16d2709c
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
libpkgconf/personality.c
View File

@ -179,7 +179,7 @@ personality_keyword_set(pkgconf_cross_personality_t *p, const size_t lineno, con
pair->func(p, keyword, lineno, pair->offset, value); pair->func(p, keyword, lineno, pair->offset, value);
} }
static const pkgconf_parser_operand_func_t personality_parser_ops[] = { static const pkgconf_parser_operand_func_t personality_parser_ops[256] = {
[':'] = (pkgconf_parser_operand_func_t) personality_keyword_set [':'] = (pkgconf_parser_operand_func_t) personality_keyword_set
}; };