Branch: refs/heads/coverity_scan Home: https://github.com/kronosnet/kronosnet Commit: f2bb002911d669f1b8c07cba5f86c580d4e30bf3 https://github.com/kronosnet/kronosnet/commit/f2bb002911d669f1b8c07cba5f86c5... Author: Thomas Lamprecht t.lamprecht@proxmox.com Date: 2019-10-08 (Tue, 08 Oct 2019)
Changed paths: M man/doxyxml.c
Log Message: ----------- doxyxml: print_param: fix heap-buffer-overflow on read
in read_struct we can get the pi->paramtype assigned with:
pi->paramtype = type?strdup(type):strdup("");
And in print_param we then always check the last character by getting the strlen and subtracting one. But in the case where either type was NULL and we assigned an empty string, or type wasn't null but pointing to an empty string we ran into an read-heap-buffer-overflow as here strlen is zero, and so we the first if branch evaluated to
if (pi->paramtype[-1] == '*') {
which isn't valid. Depending on the OS, protection of surrounding area due to said OS or the compiler, this can crash the program.
Similar issue was the case for the next check for double pointers, here for all strings with strlen < 2.
To solve this get the strlen early and check if we cannot underflow before doing the real read.
Signed-off-by: Thomas Lamprecht t.lamprecht@proxmox.com
-
Thomas Lamprecht