Re: plan9port buffer overflow

Ray Lai Mon, 23 May 2016 08:00:05 -0700

Another buffer overflow found. To recap, libdraw/font.c has a
hand-rolled realloc, which I replaced with reallocarray (until it is
fixed upstream https://plan9port-review.googlesource.com/#/c/1520/).


Then I found another overflow in 9term/win.c, caused by missing
parentheses (for details see:
https://plan9port-review.googlesource.com/#/c/1540/).

Ray


Index: Makefile
===================================================================
RCS file: /home/cvs/ports/plan9/plan9port/Makefile,v
retrieving revision 1.14
diff -u -p -r1.14 Makefile
--- Makefile    22 Apr 2016 02:43:05 -0000      1.14
+++ Makefile    25 Apr 2016 11:59:03 -0000
@@ -6,6 +6,7 @@ BROKEN-powerpc =        threading issues
 COMMENT =              Plan 9 from user space
 
 DISTNAME =             plan9port-20160418
+PKGNAME =              ${DISTNAME}p0
 
 GH_ACCOUNT =           9fans
 GH_PROJECT =           plan9port
cvs diff: Diffing patches
Index: patches/patch-src_cmd_9term_win_c
===================================================================
RCS file: patches/patch-src_cmd_9term_win_c
diff -N patches/patch-src_cmd_9term_win_c
--- /dev/null   1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_cmd_9term_win_c   23 May 2016 14:28:05 -0000
@@ -0,0 +1,12 @@
+$OpenBSD$
+--- src/cmd/9term/win.c.orig   Tue Apr 19 02:07:22 2016
++++ src/cmd/9term/win.c        Mon May 23 22:28:05 2016
+@@ -634,7 +634,7 @@ label(char *sr, int n)
+ 
+       el = r+1;
+       if(el-sr > sizeof wdir - strlen(name) - 20)
+-              sr = el - sizeof wdir - strlen(name) - 20;
++              sr = el - (sizeof wdir - strlen(name) - 20);
+       for(sl=el-3; sl>=sr; sl--)
+               if(sl[0]=='\033' && sl[1]==']' && sl[2]==';')
+                       break;
Index: patches/patch-src_libdraw_font_c
===================================================================
RCS file: patches/patch-src_libdraw_font_c
diff -N patches/patch-src_libdraw_font_c
--- /dev/null   1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_libdraw_font_c    5 Apr 2016 13:56:47 -0000
@@ -0,0 +1,21 @@
+$OpenBSD$
+--- src/libdraw/font.c.orig    Fri Jan 22 19:52:32 2016
++++ src/libdraw/font.c Tue Apr  5 21:29:31 2016
+@@ -222,16 +222,14 @@ loadchar(Font *f, Rune r, Cacheinfo *c, int h, int nof
+                       subf->age = 0;
+               }else{                          /* too recent; grow instead */
+                       of = f->subf;
+-                      f->subf = malloc((f->nsubf+DSUBF)*sizeof *subf);
++                      f->subf = reallocarray(of, f->nsubf+DSUBF, sizeof 
*subf);
+                       if(f->subf == nil){
+                               f->subf = of;
+                               goto Toss;
+                       }
+-                      memmove(f->subf, of, (f->nsubf+DSUBF)*sizeof *subf);
+                       memset(f->subf+f->nsubf, 0, DSUBF*sizeof *subf);
+                       subf = &f->subf[f->nsubf];
+                       f->nsubf += DSUBF;
+-                      free(of);
+               }
+       }
+       subf->age = 0;

Re: plan9port buffer overflow

Reply via email to