99 lines
3.1 KiB
Diff
99 lines
3.1 KiB
Diff
# based on commit 8c9602e3a145e9596dc1a63c6ed67865814b6633
|
|
# removed NEWS, offsets and fuzziness
|
|
Author: Pádraig Brady <P@draigBrady.com>
|
|
Date: Tue May 20 16:03:44 2025 +0100
|
|
|
|
sort: fix buffer under-read (CWE-127)
|
|
|
|
* src/sort.c (begfield): Check pointer adjustment
|
|
to avoid Out-of-range pointer offset (CWE-823).
|
|
(limfield): Likewise.
|
|
* tests/sort/sort-field-limit.sh: Add a new test,
|
|
which triggers with ASAN or Valgrind.
|
|
* tests/local.mk: Reference the new test.
|
|
* NEWS: Mention bug fix introduced in v7.2 (2009).
|
|
Fixes https://bugs.gnu.org/78507
|
|
|
|
---
|
|
src/sort.c | 12 ++++++++++--
|
|
tests/local.mk | 1 +
|
|
tests/sort/sort-field-limit.sh | 35 +++++++++++++++++++++++++++++++++++
|
|
3 files changed, 46 insertions(+), 2 deletions(-)
|
|
|
|
--- a/src/sort.c
|
|
+++ b/src/sort.c
|
|
@@ -1794,7 +1794,11 @@ begfield_uni (const struct line *line, c
|
|
++ptr;
|
|
|
|
/* Advance PTR by SCHAR (if possible), but no further than LIM. */
|
|
- ptr = MIN (lim, ptr + schar);
|
|
+ size_t remaining_bytes = lim - ptr;
|
|
+ if (schar < remaining_bytes)
|
|
+ ptr += schar;
|
|
+ else
|
|
+ ptr = lim;
|
|
|
|
return ptr;
|
|
}
|
|
@@ -1955,7 +1959,11 @@ limfield_uni (struct line const *line, s
|
|
++ptr;
|
|
|
|
/* Advance PTR by ECHAR (if possible), but no further than LIM. */
|
|
- ptr = MIN (lim, ptr + echar);
|
|
+ size_t remaining_bytes = lim - ptr;
|
|
+ if (echar < remaining_bytes)
|
|
+ ptr += echar;
|
|
+ else
|
|
+ ptr = lim;
|
|
}
|
|
|
|
return ptr;
|
|
--- a/tests/local.mk
|
|
+++ b/tests/local.mk
|
|
@@ -388,6 +388,7 @@ all_tests = \
|
|
tests/sort/sort-debug-keys.sh \
|
|
tests/sort/sort-debug-warn.sh \
|
|
tests/sort/sort-discrim.sh \
|
|
+ tests/sort/sort-field-limit.sh \
|
|
tests/sort/sort-files0-from.pl \
|
|
tests/sort/sort-float.sh \
|
|
tests/misc/sort-mb-tests.sh \
|
|
--- /dev/null
|
|
+++ b/tests/sort/sort-field-limit.sh
|
|
@@ -0,0 +1,35 @@
|
|
+#!/bin/sh
|
|
+# From 7.2-9.7, this would trigger an out of bounds mem read
|
|
+
|
|
+# Copyright (C) 2025 Free Software Foundation, Inc.
|
|
+
|
|
+# This program is free software: you can redistribute it and/or modify
|
|
+# it under the terms of the GNU General Public License as published by
|
|
+# the Free Software Foundation, either version 3 of the License, or
|
|
+# (at your option) any later version.
|
|
+
|
|
+# This program is distributed in the hope that it will be useful,
|
|
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
+# GNU General Public License for more details.
|
|
+
|
|
+# You should have received a copy of the GNU General Public License
|
|
+# along with this program. If not, see <https://www.gnu.org/licenses/>.
|
|
+
|
|
+. "${srcdir=.}/tests/init.sh"; path_prepend_ ./src
|
|
+print_ver_ sort
|
|
+getlimits_
|
|
+
|
|
+# This issue triggers with valgrind or ASAN
|
|
+valgrind --error-exitcode=1 sort --version 2>/dev/null &&
|
|
+ VALGRIND='valgrind --error-exitcode=1'
|
|
+
|
|
+{ printf '%s\n' aa bb; } > in || framework_failure_
|
|
+
|
|
+_POSIX2_VERSION=200809 $VALGRIND sort +0.${SIZE_MAX}R in > out || fail=1
|
|
+compare in out || fail=1
|
|
+
|
|
+_POSIX2_VERSION=200809 $VALGRIND sort +1 -1.${SIZE_MAX}R in > out || fail=1
|
|
+compare in out || fail=1
|
|
+
|
|
+Exit $fail
|