Bug#23498283 - BUFFER OVERFLOW

DESCRIPTION =========== Buffer overflow is reported in Regex library. This can be triggered when the data corresponding to argv[1] is >= 512 bytes resutling in abnormal behaviour. ANALYSIS ======== Its a straight forward case of SEGFAULT where the target buffer is smaller than the source string to be copied. A simple pre-copy validation should do. FIX === A check is added before doing strcpy() to ensure that the target buffer is big enough to hold the to-be copied data. If the check fails, the program aborts.

Bug#23498283 - BUFFER OVERFLOW
DESCRIPTION =========== Buffer overflow is reported in Regex library. This can be triggered when the data corresponding to argv[1] is >= 512 bytes resutling in abnormal behaviour. ANALYSIS ======== Its a straight forward case of SEGFAULT where the target buffer is smaller than the source string to be copied. A simple pre-copy validation should do. FIX === A check is added before doing strcpy() to ensure that the target buffer is big enough to hold the to-be copied data. If the check fails, the program aborts.
957aefdc · Shishir Jaiswal · df0d8efa · 957aefdc
Commit 957aefdc authored Jun 17, 2016 by Shishir Jaiswal
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 0 deletions

regex/split.c regex/split.c +4 -0

No files found.
--- a/regex/split.c
+++ b/regex/split.c
@@ -159,6 +159,10 @@ char *argv[];

 	if (argc > 4)
 		for (n = atoi(argv[3]); n > 0; n--) {
+                        if(sizeof(buf)-1 < strlen(argv[1]))
+                        {
+                          exit(EXIT_FAILURE);
+                        }
 			(void) strcpy(buf, argv[1]);
 		}
 	else if (argc > 3)