Branch: refs/heads/master
Home:
https://github.com/kronosnet/kronosnet
Commit: f2bb002911d669f1b8c07cba5f86c580d4e30bf3
https://github.com/kronosnet/kronosnet/commit/f2bb002911d669f1b8c07cba5f86c…
Author: Thomas Lamprecht <t.lamprecht(a)proxmox.com>
Date: 2019-10-08 (Tue, 08 Oct 2019)
Changed paths:
M man/doxyxml.c
Log Message:
-----------
doxyxml: print_param: fix heap-buffer-overflow on read
in read_struct we can get the pi->paramtype assigned with:
pi->paramtype =
type?strdup(type):strdup("");
And in print_param we then always check the last character by getting
the strlen and subtracting one. But in the case where either type was
NULL and we assigned an empty string, or type wasn't null but
pointing to an empty string we ran into an read-heap-buffer-overflow
as here strlen is zero, and so we the first if branch evaluated to
if (pi->paramtype[-1] == '*') {
which
isn't valid. Depending on the OS, protection of surrounding
area due to said OS or the compiler, this can crash the program.
Similar issue was the case for the next check for double pointers,
here for all strings with strlen < 2.
To solve this get the strlen early and check if we cannot underflow
before doing the real read.
Signed-off-by: Thomas Lamprecht <t.lamprecht(a)proxmox.com>
Commit: f2f1fe9162ca82d45187ab0b26009207932686f0
https://github.com/kronosnet/kronosnet/commit/f2f1fe9162ca82d45187ab0b26009…
Author: Fabio M. Di Nitto <fdinitto(a)redhat.com>
Date: 2019-10-09 (Wed, 09 Oct 2019)
Changed paths:
M man/doxyxml.c
Log Message:
-----------
Merge pull request #262 from ThomasLamprecht/fix-doxyxml-overflow
doxyxml: print_param: fix heap-buffer-overflow on read
Compare:
https://github.com/kronosnet/kronosnet/compare/a0128b93d4a6...f2f1fe9162ca