bug-groff
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug #61043] potential integer overflow vulnerability in src/preproc/grn

From: G. Branden Robinson
Subject: [bug #61043] potential integer overflow vulnerability in src/preproc/grn/hdb.cpp
Date: Mon, 16 Aug 2021 09:19:06 -0400 (EDT)
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 
Update of bug #61043 (project groff):

                  Status:             In Progress => Fixed                  
             Open/Closed:                    Open => Closed                 
         Planned Release:                    None => 1.23.0                 

    _______________________________________________________

Follow-up Comment #3:

I've addressed an avenue for a denial-of-service (unbounded use of CPU
time)...


commit 50216a235cd8214b9565ef0c0049fc4ed549650e
Author: G. Branden Robinson <g.branden.robinson@gmail.com>
Date:   Mon Aug 16 03:31:08 2021 +1000

    [grn]: Fix infinite loop on bad input.
    
    * src/preproc/grn/hdb.cpp (DBRead): Check return value of `sscanf()` and
      call `fatal()` if no conversions succeeded.  The blithe discard of a
      useful return value is bad enough, but this one took place inside a
      do-while such that it could loop forever trying fruitlessly to parse
      two doubles out of strings that didn't contain them (the loop never
      checked the EOF status of the file stream from which it was reading,
      and relied on `fgets()` to keep advancing the stream pointer).
      Discovered while root-causing Savannah #61043.


...added checks of the return value of `malloc()`...


commit 0d56933b896e7bc2c7193daf7b740fe06e9196f6
Author: G. Branden Robinson <g.branden.robinson@gmail.com>
Date:   Mon Aug 16 10:19:39 2021 +1000

    [grn]: Add and use `malloc()` wrapper.
    
    * /src/preproc/grn/main.cpp (grnmalloc): New function takes argument of
      `size_t` type and constant string argument to describe what is being
      allocated.  Return non-null pointer from `malloc()`, otherwise call
      `fatal()`, describing what was being allocated and the problem
      reported by the system.
    
    * src/preproc/grn/hdb.cpp (DBCreateElt):
    * src/preproc/grn/hpoint.cpp (PTMakePoint):
    * /src/preproc/grn/main.cpp (main, interpret): Migrate `malloc()`
      callers to `grnmalloc()`.


...and addressed the reported potential integer overflow.


commit eb4f0675e322d50c69d36625f296f8260fafeb46
Author: G. Branden Robinson <g.branden.robinson@gmail.com>
Date:   Mon Aug 16 11:09:16 2021 +1000

    [grn]: Perform more input validation.
    
    * src/preproc/grn/hdb.cpp: Perform more input validation.  Improve
      diagnostics by taking advantage of libgroff infrastructure and
      tracking the line number of the input file.  Add global `lineno`.
    
      (DBRead): Increment `lineno` after reading newlines from input.  Call
      `error_with_file_and_line()` instead of `error()`.  If input reports a
      negative length for the text (string) to follow in the file, exit with
      a fatal diagnostic.  Check for EOF while reading text string.
    
      (DBGetType): Convert `fprintf()` call for warning diagnostic to
      `warning_with_file_and_line()`.
    
      (DBRead, DBGetType): Add contextual information to diagnostic
      messages.
    
    Fixes <https://savannah.gnu.org/bugs/?61043>.   Thanks to Savannah user
    eqkws for the report.


    _______________________________________________________

Reply to this item at:

  <https://savannah.gnu.org/bugs/?61043>

_______________________________________________
  Message sent via Savannah
  https://savannah.gnu.org/
reply via email to
[Prev in Thread] Current Thread [Next in Thread]