aboutsummaryrefslogtreecommitdiff
path: root/src/cmd/mk
diff options
context:
space:
mode:
authorNeven Sajko <nsajko@gmail.com>2019-12-31 21:32:42 +0000
committerDan Cross <crossd@gmail.com>2020-01-07 20:25:18 -0500
commitc65d179354fd3fd6f9719531f3414cf1c9c5280a (patch)
treebbfb59d23144ec4b4e3773f2fb9ec15f8caeb167 /src/cmd/mk
parent194178b5788a09379e01e8ff8bff391b8a8d5c18 (diff)
downloadplan9port-c65d179354fd3fd6f9719531f3414cf1c9c5280a.tar.gz
plan9port-c65d179354fd3fd6f9719531f3414cf1c9c5280a.tar.bz2
plan9port-c65d179354fd3fd6f9719531f3414cf1c9c5280a.zip
mk: fix out of bounds access
A loop is added for each structure field instead of accessing the other fields through the first one in one loop. Updates #313 Change-Id: I0e27e15feacb77391bc1decee7cf720d64d14586
Diffstat (limited to 'src/cmd/mk')
-rw-r--r--src/cmd/mk/archive.c28
1 files changed, 21 insertions, 7 deletions
diff --git a/src/cmd/mk/archive.c b/src/cmd/mk/archive.c
index 01288908..6869bacf 100644
--- a/src/cmd/mk/archive.c
+++ b/src/cmd/mk/archive.c
@@ -1,6 +1,6 @@
#include "mk.h"
#define ARMAG "!<arch>\n"
-#define SARMAG 8
+#define SARMAG (sizeof(ARMAG) - sizeof(""))
#define ARFMAG "`\n"
#define SARNAME 16
@@ -102,7 +102,7 @@ atouch(char *name)
LSEEK(fd, SARMAG, 0);
while(read(fd, (char *)&h, sizeof(h)) == sizeof(h)){
for(i = SARNAME-1; i > 0 && h.name[i] == ' '; i--)
- ;
+ ;
h.name[i+1]=0;
if(strcmp(member, h.name) == 0){
t = SARNAME-sizeof(h); /* ughgghh */
@@ -118,6 +118,18 @@ atouch(char *name)
close(fd);
}
+static int
+allspaces(char *a, int n)
+{
+ int i;
+ for (i = 0; i < n; i++) {
+ if (a[i] != ' ') {
+ return 0;
+ }
+ }
+ return 1;
+}
+
static void
atimes(char *ar)
{
@@ -151,11 +163,13 @@ atimes(char *ar)
if(readn(fd, name, namelen) != namelen)
break;
name[namelen] = 0;
- }else if(memcmp(h.name, "// ", 2) == 0){ /* GNU */
+ }else if(memcmp(h.name, "// ", 3) == 0){ /* GNU */
/* date, uid, gid, mode all ' ' */
- for(i=2; i<16+12+6+6+8; i++)
- if(h.name[i] != ' ')
- goto skip;
+ if(!allspaces(&h.name[3], sizeof(h.name) - 3) ||
+ !allspaces(h.date, sizeof(h.date)) || !allspaces(h.uid, sizeof(h.uid)) ||
+ !allspaces(h.gid, sizeof(h.gid)) || !allspaces(h.mode, sizeof(h.mode))){
+ goto skip;
+ }
t = atol(h.size);
if(t&01)
t++;
@@ -189,7 +203,7 @@ atimes(char *ar)
}else{
strncpy(name, h.name, sizeof(h.name));
for(i = sizeof(h.name)-1; i > 0 && name[i] == ' '; i--)
- ;
+ ;
if(name[i] == '/') /* system V bug */
i--;
name[i+1]=0;