Commit Graph

5 Commits (a8a492e2e44091a3271690fd0c02513e576df2ec)

Author SHA1 Message Date
Taylor R Campbell 212c85863a Avoid undefined behaviour with the ctype(3) functions.
ci/woodpecker/push/woodpecker Pipeline was successful Details
fix https://github.com/pkgconf/pkgconf/issues/291

As defined in the C standard:

        In all cases the argument is an int, the value of which shall
        be representable as an unsigned char or shall equal the value
        of the macro EOF.  If the argument has any other value, the
        behavior is undefined.

This is because they're designed to work with the int values returned
by getc or fgetc; they need extra work to handle a char value.

If EOF is -1 (as it almost always is), with 8-bit bytes, the allowed
inputs to the ctype(3) functions are:

        {-1, 0, 1, 2, 3, ..., 255}.

However, on platforms where char is signed, such as x86 with the
usual ABI, code like

        char *ptr = ...;
        ... isspace(*ptr) ...

may pass in values in the range:

        {-128, -127, -126, ..., -2, -1, 0, 1, ..., 127}.

This has two problems:

1. Inputs in the set {-128, -127, -126, ..., -2} are forbidden.

2. The non-EOF byte 0xff is conflated with the value EOF = -1, so
   even though the input is not forbidden, it may give the wrong
   answer.

Casting char to unsigned int first before passing the result to
ctype(3) doesn't help: inputs like -128 are unchanged by this cast,
because (on a two's-complement machine with 32-bit int and unsigned
int), converting the signed char with integer value -128 to unsigned
int gives integer value 2^32 - 128 = 0xffffff80, which is out of
range, and which is converted in int back to -128, which is also out
of range.

It is necessary to cast char inputs to unsigned char first; you can
then cast to unsigned int if you like but there's no need because the
functions will always convert the argument to int by definition.  So
the above fragment needs to be:

        char *ptr = ...;
        ... isspace((unsigned char)*ptr) ...

This patch changes unsigned int casts to unsigned char casts, and
adds unsigned char casts where they are missing.
2023-05-02 11:43:56 -07:00
Timo Röhling 506ebab7d6 Ignore whitespace indentation
ci/woodpecker/push/woodpecker Pipeline was successful Details
Fixes #265
2023-01-21 20:09:52 +00:00
Tobias Stoeckmann 92745ad9cb libpkgconf: parser: fix out of boundary access
It is possible to trigger an out of boundary access with specially
crafted files. If a line consist of only a key and spaces, then
op will point to '\0'-ending of the buffer. Since p is iterated by
one byte right past this ending '\0', the next read access to p is
effectively out of bounds.

Theoretically this can also lead to out of boundary writes if spaces
are encountered.

Proof of concept (I recommend to compile with address sanitizer):

$ echo -n a > poc.pc
$ dd if=/dev/zero bs=1 count=65533 | tr '\0' ' ' >> poc.pc
$ pkgconf poc.pc
2020-05-24 14:10:18 -06:00
Alexander Tsoy db9c1e96a1
fix the order of header includes
config.h should be included before stdinc.h, otherwise large file
support is not enabled.

Downstream bug: https://bugs.gentoo.org/687548
2019-06-08 04:55:52 +03:00
William Pitcock 1244f8f8e7 libpkgconf: refactor out the rfc822 message parser so that the cross-personality code can share it 2018-05-09 21:21:39 -05:00