Permalink
Browse files

Fix possible stack overflow in option parsing routine

It is possible to create a stack overflow by giving an option that is
longer than the buffer that is used during option parsing because the
length of the input string is not checked.

Prevent the issue by always checking the input string length and
discarding options that does not fit in the buffer as invalid.

This issue has been assigned CVE-2017-12481.

Thanks to Gwan Yeong Kim for reporting this issue.

Fixes #1222
  • Loading branch information...
tbm committed Jan 26, 2019
1 parent 7c0ae5b commit c5343f18744d0f6fddcc590f9a54c23674d8c489
Showing with 15 additions and 0 deletions.
  1. +3 −0 doc/NEWS
  2. +5 −0 src/option.cc
  3. +7 −0 test/regress/1222.test
@@ -48,6 +48,9 @@
- Fix use-after-free issue with deferred postings (bug #1723, TALOS-2017-0304,
CVE-2017-2808)

- Fix possible stack overflow in option parsing routine (bug #1222,
CVE-2017-12481)

- Fix possible stack overflow in date parsing routine (bug #1224,
CVE-2017-12482)

@@ -42,6 +42,11 @@ namespace {
{
char buf[128];
char * p = buf;

if (name.length() > 127) {
throw_(option_error, _f("Illegal option --%1%") % name);
}

foreach (char ch, name) {
if (ch == '-')
*p++ = '_';
@@ -0,0 +1,7 @@
--fooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

test reg -> 1
__ERROR__
While parsing file "$FILE", line 1:
Error: Illegal option --fooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
end test

0 comments on commit c5343f1

Please sign in to comment.