The CHECK(l) macro can sometimes receive negative values, that will bypass the size checks, since the resize loop is:
#defineCHECK(l) do {\
/* int cr = ENC_CODERANGE(result);*/\
while ((l) >= bsiz - blen) {\
bsiz*=2;\
}\
mrb_str_resize(mrb, result, bsiz);\
/* ENC_CODERANGE_SET(result, cr);*/\
buf = RSTRING_PTR(result);\
} while (0)
One example for reaching a negative "l" value is in the "G" format when the width is "2 ** 31 - 20", causing need to be MIN_INT:
if ((flags&FWIDTH) && need < width)
need = width;
need += 20;
CHECK(need);
n = snprintf(&buf[blen], need, fbuf, fval);
blen += n;
Proposed Fix:
Since there are several such IOFs, the best fix will be a robust check inside the macro itself.
The macro should add another check to raise an exception in case l < 0.
Technical Error 2:
Still in the "G" format, in case of a huge width, the snprintf call will fail, returning -1:
n = snprintf(&buf[blen], need, fbuf, fval);
blen += n;
This means that we can decrement blen by 1 for each such format primitive.
On 32bit machines, the mrb_str_resize(-1) will create a string of length -1 with a data buffer realloced with size 0 (= -1 + 1). The resulting output is:
https://hackerone.com/aerodudrizzt reported the following issues in sprintf:
Technical Error 1:
The
CHECK(l)
macro can sometimes receive negative values, that will bypass the size checks, since the resize loop is:One example for reaching a negative "l" value is in the "G" format when the width is "2 ** 31 - 20", causing
need
to beMIN_INT
:Proposed Fix:
Since there are several such IOFs, the best fix will be a robust check inside the macro itself.
The macro should add another check to raise an exception in case
l < 0
.Technical Error 2:
Still in the "G" format, in case of a huge width, the
snprintf
call will fail, returning-1
:This means that we can decrement
blen
by 1 for each such format primitive.Information Leak PoC Script:
On 32bit machines, the
mrb_str_resize(-1)
will create a string of length-1
with a data buffer realloced with size 0 (= -1 + 1). The resulting output is:And a close look will tell us that:
unique.length
returned-1
: 0x2d, 0x31Heap buffer underflow PoC Script:
Decrementing
blen
10 times, will result in a buffer underflow of 10 bytes, that will write '!' on thestr1
, as can be seen in the dump:Proposed Fix:
Should check the return value of
snprintf
for errors, instead of directly using it by adding it toblen
.The text was updated successfully, but these errors were encountered: