forked from ariadne/pkgconf
100bc605de
fragment_quote adds quotation to fragments if needed. It allocates a buffer and grows it as needed. Unfortunately the dst pointer is not updated after a realloc, which means that dst still points into the old memory area. Further writing characters into that area leads to out of boundy writes. Proof of concept: $ cat > poc.pc << EOF Name: poc Description: poc Version: 1 CFlags: -Ia CFlags: -I%%%%%%%%%%%%%%%%%%%%b CFlags: -I%%%%%%%%%%%%%%%%%%%%c CFlags: -Id EOF $ pkgconf --cflags poc.pc Most reliable attempt is to compile pkgconf with address sanitizer, but this file should lead to an abort on a glibc system due to modified chunk pointers (tested with Linux on amd64). But since this is undefined behaviour, it depends on system details. |
||
|---|---|---|
| .. | ||
| argvsplit.c | ||
| audit.c | ||
| bsdstubs.c | ||
| bsdstubs.h | ||
| cache.c | ||
| client.c | ||
| config.h.meson | ||
| dependency.c | ||
| fileio.c | ||
| fragment.c | ||
| iter.h | ||
| libpkgconf-api.h | ||
| libpkgconf.h | ||
| meson.build | ||
| parser.c | ||
| path.c | ||
| personality.c | ||
| pkg.c | ||
| queue.c | ||
| stdinc.h | ||
| tuple.c | ||
| win-dirent.h | ||