[bug #61043] potential integer overflow vulnerability in src/preproc/grn

bug-groff

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug #61043] potential integer overflow vulnerability in src/preproc/grn

From:	G. Branden Robinson
Subject:	[bug #61043] potential integer overflow vulnerability in src/preproc/grn/hdb.cpp
Date:	Sun, 15 Aug 2021 20:11:09 -0400 (EDT)
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0

Follow-up Comment #2, bug #61043 (project groff):

I've prepared a patch that mitigates the impact of the underlying bug.  Here
it is.

I have not pushed this yet; I am making some other changes to address the
sloppy error handing of this program.


diff --git a/ChangeLog b/ChangeLog
index 6b5c245b..7bdee9a0 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,15 @@
+2021-08-16  G. Branden Robinson <g.branden.robinson@gmail.com>
+
+       * src/preproc/grn/hdb.cpp (DBRead): Check return value of
+       `sscanf()` and call `fatal()` if no conversions succeeded.  The
+       blithe discard of a useful return value is bad enough, but this
+       one took place inside a do-while such that it could loop
+       forever trying fruitlessly to parse two doubles out of strings
+       that didn't contain them (the loop never checked the EOF status
+       of the file stream from which it was reading, and relied on
+       `fgets()` to keep advancing the stream pointer).  Discovered
+       while root-causing Savannah #61043.
+
 2021-08-15  G. Branden Robinson <g.branden.robinson@gmail.com>
 
        Resolve compiler warnings relating to format string security and
diff --git a/src/preproc/grn/hdb.cpp b/src/preproc/grn/hdb.cpp
index c61e099b..0310d7ac 100644
--- a/src/preproc/grn/hdb.cpp
+++ b/src/preproc/grn/hdb.cpp
@@ -148,7 +148,11 @@ DBRead(register FILE *file)
          if (string[0] == '*') {       /* SUN gremlin file */
            lastpoint = TRUE;
          } else {
-           (void) sscanf(string, "%lf%lf", &x, &y);
+           if (!sscanf(string, "%lf%lf", &x, &y)) {
+             error("expected coordinate pair, got '%1';"
+                   " giving up on this picture", string);
+             return(elist);
+           }
            if ((x == -1.00 && y == -1.00) && (!SUNFILE))
              lastpoint = TRUE;
            else {


Now, instead of looping forever, I get the following output.


$ ./build/test-groff -g -me -z gremlin.me
grn: error: expected coordinate pair, got 'CENTCENT'; giving up on this
picture


    _______________________________________________________

Reply to this item at:

  <https://savannah.gnu.org/bugs/?61043>

_______________________________________________
  Message sent via Savannah
  https://savannah.gnu.org/

[Prev in Thread]

Current Thread

[Next in Thread]

[bug #61043] potential integer overflow vulnerability in src/preproc/grn/hdb.cpp, INVALID.NOREPLY, 2021/08/15
- [bug #61043] potential integer overflow vulnerability in src/preproc/grn/hdb.cpp, G. Branden Robinson, 2021/08/15
  - [bug #61043] potential integer overflow vulnerability in src/preproc/grn/hdb.cpp, G. Branden Robinson <=
    - [bug #61043] potential integer overflow vulnerability in src/preproc/grn/hdb.cpp, G. Branden Robinson, 2021/08/16
    - [bug #61043] potential integer overflow vulnerability in src/preproc/grn/hdb.cpp, G. Branden Robinson, 2021/08/16

Prev by Date: [bug #55081] [me] two-column output does not work with footnotes or very long page lengths
Next by Date: [bug #61043] potential integer overflow vulnerability in src/preproc/grn/hdb.cpp
Previous by thread: [bug #61043] potential integer overflow vulnerability in src/preproc/grn/hdb.cpp
Next by thread: [bug #61043] potential integer overflow vulnerability in src/preproc/grn/hdb.cpp
Index(es):
- Date
- Thread