Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix buffer overflow in do_composition()
I tried to verify that Linux 6.2's decision to use -funsigned-char would break our code and was mostly successful, with the sole exception of do_composition(), which has a bug that -funsigned-char would have lessened, although not mitigated. In do_composition(), we have: size = u8_number_of_bytes[*p]; if (size <= 1 || (p + size) > oslast) break; There, we have type promotion from char to size_t, which is unsigned. C will sign extend the value as part of the widening before treating the value as unsigned and the negative values we can counter are error values from U8_ILLEGAL_CHAR and U8_OUT_OF_RANGE_CHAR, which are -1 and -2 respectively. The unsigned versions of these under two's complement are SIZE_MAX and SIZE_MAX-1 respectively. The bounds check is written under the assumption that `size <= 1` does a signed comparison. This is followed by a pointer comparison to see if the string has the correct length, which is fine. A little further down we have: for (i = 0; i < size; i++) tc[i] = *p++; When an error condition is encountered, this will iterate at least SIZE_MAX-1 times, which will massively overflow the buffer, which is not fine. This would undoubtedly cause horrible memory corruption, which would likely crash the system, but could cause just about anything until the system crashes. Signed-off-by: Richard Yao <richard.yao@alumni.stonybrook.edu>
- Loading branch information