fix heap-buffer-overflow #957
Conversation
|
Hi, I'm going through PRs in preparation for a new release. I see what you're fixing here, but can you provide an example format string where we would currently read past the end of the buffer? I think a regression test may be worthwhile. |
Whitespace Co-authored-by: Kristján Valur Jónsson <sweskman@gmail.com>
|
I ran the fuzzing tests described in the issue to be able to propose a testcase. |
|
Closing in favor of #1097. Thanks for finding and reporting the issue though! |
|
I contest closing this. Incrementing a zero terminated string twice, without checking that there is indeed a zero in between increments, is dangerous. One should always check for zeroes, even if one strongly believes that the string is correctly constructed. It is prudent, from a security perspective, to leave no opening for reading past the end of a string. Even if one has good faith that the string is well formed. |
hiredis.c
Outdated
| @@ -477,6 +477,8 @@ int redisvFormatCommand(char **target, const char *format, va_list ap) { | |||
|
|
|||
| touched = 1; | |||
| c++; | |||
| if (*c == '\0') | |||
| continue; | |||
There was a problem hiding this comment.
I'd change this to break to make the intention more explicit.
|
I am a professional programmer and I approve of this message. |
|
@kristjanvalur I see your point. It certainly doesn't hurt anything to apply both fixes. |
fix heap-buffer-overflow in #956