Commit 957aefdc authored by Shishir Jaiswal's avatar Shishir Jaiswal

Bug#23498283 - BUFFER OVERFLOW

DESCRIPTION
===========
Buffer overflow is reported in Regex library. This can be
triggered when the data corresponding to argv[1] is >=
512 bytes resutling in abnormal behaviour.

ANALYSIS
========
Its a straight forward case of SEGFAULT where the target
buffer is smaller than the source string to be copied.
A simple pre-copy validation should do.

FIX
===
A check is added before doing strcpy() to ensure that the
target buffer is big enough to hold the to-be copied data.
If the check fails, the program aborts.
parent df0d8efa
...@@ -159,6 +159,10 @@ char *argv[]; ...@@ -159,6 +159,10 @@ char *argv[];
if (argc > 4) if (argc > 4)
for (n = atoi(argv[3]); n > 0; n--) { for (n = atoi(argv[3]); n > 0; n--) {
if(sizeof(buf)-1 < strlen(argv[1]))
{
exit(EXIT_FAILURE);
}
(void) strcpy(buf, argv[1]); (void) strcpy(buf, argv[1]);
} }
else if (argc > 3) else if (argc > 3)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment