Permalink
Browse files

Bug #20359808 - OUT OF BOUNDS WRITE (OFF BY ONE)

DESCRIPTION
===========
/strings/ctype.c:

In cs_value() for one of the cases (Rules: Context), the
length check condition is flawed. With current behaviour
it allows the program to write even if length of "attribute"
is equal to size of "context" which results in memory
corruption. This happens since the extra terminating NULL
is written at the start of the adjacent variable.

ANALYSIS
========
The program should allow to write it only if the length of
former is less than size of latter. So the "+ 1" should be
dropped from the following condition:

if (len < sizeof(i->context) + 1)

In the regular scenario when program writes well within its
boundary, this corruption doesn't happen.

FIX
===
Dropped "+ 1" from the condition so that the required check
is made correctly.
  • Loading branch information...
shishirlearnz committed May 26, 2015
1 parent 3b6b4bf commit 1cdd3b832ae32d3c236869954f0c7a8a851ed94a
Showing with 2 additions and 2 deletions.
  1. +2 −2 strings/ctype.c
View
@@ -1,4 +1,4 @@
/* Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
/* Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -752,7 +752,7 @@ static int cs_value(MY_XML_PARSER *st,const char *attr, size_t len)
/* Rules: Context */
case _CS_CONTEXT:
if (len < sizeof(i->context) + 1)
if (len < sizeof(i->context))
{
memcpy(i->context, attr, len);
i->context[len]= '\0';

0 comments on commit 1cdd3b8

Please sign in to comment.