Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix memory safety issues #260

Merged
merged 10 commits into from
Jan 6, 2022
Merged

Fix memory safety issues #260

Changes from 1 commit
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
ac8d760
ucl_lex_json_string: fix out-of-bounds read
alpire Jan 4, 2022
08de358
ucl_parse_value: fix out-of-bounds read
alpire Jan 4, 2022
3a94514
ucl_check_variable: fix out_len on unterminated variable
alpire Jan 4, 2022
54a5b59
ucl_inherit_handler: fix format string for non-null-terminated strings
alpire Jan 4, 2022
852f752
ucl_strnstr: fix out-of-bounds read
alpire Jan 4, 2022
f9e5446
ucl_expand_variable: fix out-of-bounds read
alpire Jan 4, 2022
a9c0965
ucl_object_copy_internal: use memcpy instead of strdup
alpire Jan 4, 2022
9e0e06f
ucl_chunk_skipc: avoid out-of-bounds read
alpire Jan 5, 2022
9b898ea
ucl_expand_single_variable: better bounds check
alpire Jan 5, 2022
110428d
ucl_object_copy_internal: null terminate keys
alpire Jan 5, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
ucl_lex_json_string: fix out-of-bounds read 
If the string ends with a '\', the function tried to read the next
character before checking bounds. This commit move the bounds check
before the read to avoid the out-of-bounds read.

Fix https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=21578
  • Loading branch information
@alpire
alpire committed Jan 4, 2022
commit ac8d76023386fb1f1b31b47cd294e28831929c96
4 changes: 2 additions & 2 deletions src/ucl_parser.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1053,13 +1053,13 @@ ucl_lex_json_string (struct ucl_parser *parser,
}
else if (c == '\\') {
ucl_chunk_skipc (chunk, p);
c = *p;
if (p >= chunk->end) {
ucl_set_err (parser, UCL_ESYNTAX, "unfinished escape character",
&parser->err);
return false;
}
else if (ucl_test_character (c, UCL_CHARACTER_ESCAPE)) {
c = *p;
if (ucl_test_character (c, UCL_CHARACTER_ESCAPE)) {
if (c == 'u') {
ucl_chunk_skipc (chunk, p);
for (i = 0; i < 4 && p < chunk->end; i ++) {
Expand Down