-
Notifications
You must be signed in to change notification settings - Fork 138
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix memory safety issues #260
Commits on Jan 4, 2022
-
ucl_lex_json_string: fix out-of-bounds read
If the string ends with a '\', the function tried to read the next character before checking bounds. This commit move the bounds check before the read to avoid the out-of-bounds read. Fix https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=21578
Configuration menu - View commit details
-
Copy full SHA for ac8d760 - Browse repository at this point
Copy the full SHA ac8d760View commit details -
ucl_parse_value: fix out-of-bounds read
If the string ends with a Multiline terminator without a newline, the function tried to read the next character to check for a newline without checking if the pointer was past the end of the buffer. This commit adds a bounds check and return early with an error in case of missing newline. Fix https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=21579
Configuration menu - View commit details
-
Copy full SHA for 08de358 - Browse repository at this point
Copy the full SHA 08de358View commit details -
ucl_check_variable: fix out_len on unterminated variable
If the input contains '${' but no following '}', ucl_check_variable should still increment out_len since ucl_expand_variable will copy the '$' in the destination buffer. Fix https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24591
Configuration menu - View commit details
-
Copy full SHA for 3a94514 - Browse repository at this point
Copy the full SHA 3a94514View commit details -
ucl_inherit_handler: fix format string for non-null-terminated strings
I believe this was the intent of the original format string, but two characters got swapped. See printf docs at https://www.gnu.org/software/libc/manual/html_node/Output-Conversion-Syntax.html#Output-Conversion-Syntax. Fix https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25626 Fix https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33041
Configuration menu - View commit details
-
Copy full SHA for 54a5b59 - Browse repository at this point
Copy the full SHA 54a5b59View commit details -
ucl_strnstr: fix out-of-bounds read
The strncmp call could read past the bounds of the haystack. The loop now stop when the remaining data in the haystack cannot contain the needle. Fix https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28135
Configuration menu - View commit details
-
Copy full SHA for 852f752 - Browse repository at this point
Copy the full SHA 852f752View commit details -
ucl_expand_variable: fix out-of-bounds read
If the input ends in '$', calling ucl_check_variable will result in an out-of-bounds read. Fix https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34755
Configuration menu - View commit details
-
Copy full SHA for f9e5446 - Browse repository at this point
Copy the full SHA f9e5446View commit details -
ucl_object_copy_internal: use memcpy instead of strdup
Keys may have null bytes, when they are decoded from json in ucl_unescape_json_string and contain \u0000. Not copying the full key resulted in out-of-bounds reads. The copy now relies on memcpy and keylen instead of strdup. Fix https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=38579 Fix https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=38675
Configuration menu - View commit details
-
Copy full SHA for a9c0965 - Browse repository at this point
Copy the full SHA a9c0965View commit details
Commits on Jan 5, 2022
-
ucl_chunk_skipc: avoid out-of-bounds read
This macro is often used in loops before checking whether the end of chunk condition. Adding a bounds check in there prevents reading past the buffer.
Configuration menu - View commit details
-
Copy full SHA for 9e0e06f - Browse repository at this point
Copy the full SHA 9e0e06fView commit details -
ucl_expand_single_variable: better bounds check
This commit improves variable expansion and adds: - an in_len argument to the function in order to avoid reading past the end of the src buffer - a check that the variable name is followed by '}' in strict mode - extra bounds check to prevent out of bounds reads and writes
Configuration menu - View commit details
-
Copy full SHA for 9b898ea - Browse repository at this point
Copy the full SHA 9b898eaView commit details -
Configuration menu - View commit details
-
Copy full SHA for 110428d - Browse repository at this point
Copy the full SHA 110428dView commit details