From 726c2768805c8c95e8ad8e5f09eddc5b16570365 Mon Sep 17 00:00:00 2001
From: Hugo Lefeuvre <hle@debian.org>
Date: Mon, 4 Dec 2017 12:51:16 +0100
Subject: [PATCH 23/29] Fix buffer overflow in dcputs (buffer missing \0)
The dcputs function appends passed string at the end of the global
string buffer (dcstr), adapting the buffer's size if necessary.
Unfortunately, the strsize variable which holds the global buffer's
size is initialized to 0 in dcinit(), which means that no place for
the \0 character is reserved. Hence, whenever dcputs tries to strcat
a string to the global buffer, a byte may be missing leading to a
heap buffer overflow.
This commit addresses this issue (CVE-2017-11732, closes #80).
---
util/decompile.c | 2 +-
1 file changed, 1 insertions(+), 1 deletion(-)
diff --git a/util/decompile.c b/util/decompile.c
index 1593c9c0..a303d6ba 100644
--- a/util/decompile.c
+++ b/util/decompile.c
@@ -79,7 +79,7 @@ static char *dcptr=NULL;
void
dcinit()
{
- strsize=0;
+ strsize = 1; // We start with empty string, i.e. \0
strmaxsize=DCSTRSIZE;
dcstr=calloc(DCSTRSIZE,1);
dcptr=dcstr;
--
2.14.3
distrib
>
Mageia
>
6
>
armv7hl
>
media
>
core-updates-src
>
by-pkgid
>
e292cda8ad33284786d7f1384ee2e82d
>
files
>
14
