Skip to content

Commit

Permalink
Prevent bin_file() -> is_utf8_well_formed() buffer overrun (#271)
Browse files Browse the repository at this point in the history 
When supplied with a file of random data >256 bytes, read()
would return a full buffer of data[256] to bin_file().
That function loops through the buffer, but calls is_utf8_well_formed()
with the full length of the buffer.  When looping on the last byte of the
buffer, is_uft8_well_formed() reads past the end.

This commit fixes bin_file() to only inspect the remaining bytes in the
buffer.

Found and tested with CheriBSD on an Arm Morello platform running with strong
memory safety
  • Loading branch information
@tmarkettos
tmarkettos committed Jun 21, 2022
1 parent 4fc29a0 commit 99510e6
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion filename.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -477,7 +477,7 @@ bin_file(f)
edata = &data[n];
for (p = data; p < edata; )
{
if (utf_mode && !is_utf8_well_formed(p, edata-data))
if (utf_mode && !is_utf8_well_formed(p, edata-p))
{
bin_count++;
utf_skip_to_lead(&p, edata);
Expand Down

0 comments on commit 99510e6

Please sign in to comment.