Prevent bin_file() -> is_utf8_well_formed() buffer overrun #271
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
When supplied with a file of random data >256 bytes, read() would return a full buffer of data[256] to bin_file(). That function loops through the buffer, but calls is_utf8_well_formed() with the full length of the buffer. When looping on the last byte of the buffer, is_uft8_well_formed() reads past the end. This commit fixes bin_file() to only inspect the remaining bytes in the buffer. Found and tested with CheriBSD on an Arm Morello platform running with strong memory safety
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When supplied with a file of random data >256 bytes, read()
would return a full buffer of data[256] to bin_file().
That function loops through the buffer, but calls is_utf8_well_formed()
with the full length of the buffer. When looping on the last byte of the
buffer, is_uft8_well_formed() reads past the end.
This commit fixes bin_file() to only inspect the remaining bytes in the
buffer.
Found and tested with CheriBSD on an Arm Morello platform running with strong
memory safety.
Example file of random data 'rand' attached (zipped), sha256sum:
a1419d3bcf8702b825a5a565a49ded104d5df3f04995244c06cd41430f5d6cf7 randrand.zip