From: Rich Felker <dalias@libc.org>
To: musl@lists.openwall.com
Subject: Re: [PATCH] Fix off-by-one buffer overflow in getdelim
Date: Sat, 24 Oct 2015 17:36:45 -0400 [thread overview]
Message-ID: <20151024213645.GU8645@brightrain.aerifal.cx> (raw)
In-Reply-To: <20151024204339.GA1352@nyan>
[-- Attachment #1: Type: text/plain, Size: 1283 bytes --]
On Sat, Oct 24, 2015 at 10:43:39PM +0200, Felix Janda wrote:
> when deciding whether to resize the buffer, the terminating null byte
> was not taken into account
> ---
> src/stdio/getdelim.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/src/stdio/getdelim.c b/src/stdio/getdelim.c
> index a88c393..3077490 100644
> --- a/src/stdio/getdelim.c
> +++ b/src/stdio/getdelim.c
> @@ -27,7 +27,7 @@ ssize_t getdelim(char **restrict s, size_t *restrict n, int delim, FILE *restric
> for (;;) {
> z = memchr(f->rpos, delim, f->rend - f->rpos);
> k = z ? z - f->rpos + 1 : f->rend - f->rpos;
> - if (i+k >= *n) {
> + if (i+k+1 >= *n) {
> if (k >= SIZE_MAX/2-i) goto oom;
> *n = i+k+2;
> if (*n < SIZE_MAX/4) *n *= 2;
> --
> 2.4.9
I think you're mistaken. i+k is the space needed so far in the buffer
(not counting the terminating null byte) and *n is the usable space.
The equality case of the i+k >= *n conditional covers the need to
expand the buffer when the new content of length k would exactly fit
but would not leave room for null termination.
Just to make sure I wrote a quick test program, which I've attached,
that should crash in free if the overflow occurs. It does not crash
and the output demonstrates correct resizing.
Rich
[-- Attachment #2: getdelim.c --]
[-- Type: text/plain, Size: 422 bytes --]
#include <stdio.h>
#include <stdlib.h>
#include <malloc.h>
int main()
{
int i;
FILE *f = tmpfile();
putc('\n', f);
for (i=1; i<32; i++) {
fseek(f, -1, SEEK_END);
fputs("x\n", f);
rewind(f);
ungetc(getc(f), f);
size_t n = i+1;
char *s = malloc(n);;
printf("%zu %zu ", n, malloc_usable_size(s));
size_t ret = getline(&s, &n, f);
printf("%zu %zu %zu\n", ret, n, malloc_usable_size(s));
free(s);
}
}
next prev parent reply other threads:[~2015-10-24 21:36 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-24 20:43 Felix Janda
2015-10-24 21:36 ` Rich Felker [this message]
2015-10-24 22:25 ` Felix Janda
2015-10-24 23:35 ` Rich Felker
2015-10-25 0:32 ` Rich Felker
2015-10-25 6:18 ` Felix Janda
2018-09-16 18:25 ` Rich Felker
2018-09-16 18:34 ` Rich Felker
2018-09-16 23:32 ` Rich Felker
2018-09-17 2:01 ` Rich Felker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151024213645.GU8645@brightrain.aerifal.cx \
--to=dalias@libc.org \
--cc=musl@lists.openwall.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/musl/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).