From 68ed65ab425c81027c66e73ee1b734d8dbf785ad Mon Sep 17 00:00:00 2001 From: Ivan Maidanski Date: Mon, 12 Nov 2018 20:57:32 +0300 Subject: Guard against potential buffer overflow in CORD_next and CORD_pos_fetch * cord/cordbscs.c (CORD__pos_fetch, CORD__next): Call ABORT() if CORD_pos_valid() returns false for the argument (do not compute pe in this case). --- cord/cordbscs.c | 25 ++++++++++++++++++------- 1 file changed, 18 insertions(+), 7 deletions(-) (limited to 'cord') diff --git a/cord/cordbscs.c b/cord/cordbscs.c index a92ab639..1b4ec28b 100644 --- a/cord/cordbscs.c +++ b/cord/cordbscs.c @@ -780,19 +780,30 @@ void CORD__extend_path(CORD_pos p) char CORD__pos_fetch(CORD_pos p) { /* Leaf is a function node */ - struct CORD_pe * pe = &((p)[0].path[(p)[0].path_len]); - CORD leaf = pe -> pe_cord; - struct Function * f = &(((CordRep *)leaf) -> function); - - if (!IS_FUNCTION(leaf)) ABORT("CORD_pos_fetch: bad leaf"); + struct CORD_pe * pe; + CORD leaf; + struct Function * f; + + if (!CORD_pos_valid(p)) + ABORT("CORD_pos_fetch: invalid argument"); + pe = &p[0].path[p[0].path_len]; + leaf = pe -> pe_cord; + if (!IS_FUNCTION(leaf)) + ABORT("CORD_pos_fetch: bad leaf"); + f = &((CordRep *)leaf)->function; return ((*(f -> fn))(p[0].cur_pos - pe -> pe_start_pos, f -> client_data)); } void CORD__next(CORD_pos p) { size_t cur_pos = p[0].cur_pos + 1; - struct CORD_pe * current_pe = &((p)[0].path[(p)[0].path_len]); - CORD leaf = current_pe -> pe_cord; + struct CORD_pe * current_pe; + CORD leaf; + + if (!CORD_pos_valid(p)) + ABORT("CORD_next: invalid argument"); + current_pe = &p[0].path[p[0].path_len]; + leaf = current_pe -> pe_cord; /* Leaf is not a string or we're at end of leaf */ p[0].cur_pos = cur_pos; -- cgit v1.2.1