Fix memory safety issues #260
Merged
Commits on Jan 4, 2022
-
ucl_lex_json_string: fix out-of-bounds read
If the string ends with a '\', the function tried to read the next character before checking bounds. This commit move the bounds check before the read to avoid the out-of-bounds read. Fix https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=21578
-
ucl_parse_value: fix out-of-bounds read
If the string ends with a Multiline terminator without a newline, the function tried to read the next character to check for a newline without checking if the pointer was past the end of the buffer. This commit adds a bounds check and return early with an error in case of missing newline. Fix https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=21579
-
ucl_check_variable: fix out_len on unterminated variable
If the input contains '${' but no following '}', ucl_check_variable should still increment out_len since ucl_expand_variable will copy the '$' in the destination buffer. Fix https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24591 -
ucl_inherit_handler: fix format string for non-null-terminated strings
I believe this was the intent of the original format string, but two characters got swapped. See printf docs at https://www.gnu.org/software/libc/manual/html_node/Output-Conversion-Syntax.html#Output-Conversion-Syntax. Fix https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25626 Fix https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33041
-
ucl_strnstr: fix out-of-bounds read
The strncmp call could read past the bounds of the haystack. The loop now stop when the remaining data in the haystack cannot contain the needle. Fix https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28135
-
ucl_expand_variable: fix out-of-bounds read
If the input ends in '$', calling ucl_check_variable will result in an out-of-bounds read. Fix https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34755
-
ucl_object_copy_internal: use memcpy instead of strdup
Keys may have null bytes, when they are decoded from json in ucl_unescape_json_string and contain \u0000. Not copying the full key resulted in out-of-bounds reads. The copy now relies on memcpy and keylen instead of strdup. Fix https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=38579 Fix https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=38675
Commits on Jan 5, 2022
-
ucl_chunk_skipc: avoid out-of-bounds read
This macro is often used in loops before checking whether the end of chunk condition. Adding a bounds check in there prevents reading past the buffer.
-
ucl_expand_single_variable: better bounds check
This commit improves variable expansion and adds: - an in_len argument to the function in order to avoid reading past the end of the src buffer - a check that the variable name is followed by '}' in strict mode - extra bounds check to prevent out of bounds reads and writes
-
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.