Skip to content
This repository has been archived by the owner on Aug 11, 2021. It is now read-only.

Fix a heap buffer overflow vulnerability in Path::makeCanonical() #1

Closed
wants to merge 1 commit into from
Closed

Conversation

kyakdan
Copy link

@kyakdan kyakdan commented May 17, 2020

The Path::makeCanonical() has a heap buffer flow vulnerability. An example of a concrete input that triggers this bug is initializing a Path object with the following string ................ and then calling the method. The cur variable is decremented by 2 in each iteration and when the if statement is evaluated when the variable reaches 0, the check cur - 1 >= 0 is true since cur is of type std::string::size_type which means is always positive. This means that 0 - 1 is the maximum possible value and then the next array access _impl->path[cur - 1] reads from an index outside the boundary of the allocated buffer. This bug was found by fuzzing this API using CI Fuzz from code intelligence.

@PiJ82
Copy link

PiJ82 commented Jul 8, 2020

Hi @kyakdan,

thank you for the fix :)
I'll look into it as soon as possible.

@Aalmann Aalmann closed this Aug 11, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants