diff options
author | Neven Sajko <nsajko@gmail.com> | 2019-12-31 21:32:42 +0000 |
---|---|---|
committer | Dan Cross <crossd@gmail.com> | 2020-01-07 20:25:18 -0500 |
commit | c65d179354fd3fd6f9719531f3414cf1c9c5280a (patch) | |
tree | bbfb59d23144ec4b4e3773f2fb9ec15f8caeb167 /src/cmd/mk | |
parent | 194178b5788a09379e01e8ff8bff391b8a8d5c18 (diff) | |
download | plan9port-c65d179354fd3fd6f9719531f3414cf1c9c5280a.tar.gz plan9port-c65d179354fd3fd6f9719531f3414cf1c9c5280a.tar.bz2 plan9port-c65d179354fd3fd6f9719531f3414cf1c9c5280a.zip |
mk: fix out of bounds access
A loop is added for each structure field instead of accessing the other
fields through the first one in one loop.
Updates #313
Change-Id: I0e27e15feacb77391bc1decee7cf720d64d14586
Diffstat (limited to 'src/cmd/mk')
-rw-r--r-- | src/cmd/mk/archive.c | 28 |
1 files changed, 21 insertions, 7 deletions
diff --git a/src/cmd/mk/archive.c b/src/cmd/mk/archive.c index 01288908..6869bacf 100644 --- a/src/cmd/mk/archive.c +++ b/src/cmd/mk/archive.c @@ -1,6 +1,6 @@ #include "mk.h" #define ARMAG "!<arch>\n" -#define SARMAG 8 +#define SARMAG (sizeof(ARMAG) - sizeof("")) #define ARFMAG "`\n" #define SARNAME 16 @@ -102,7 +102,7 @@ atouch(char *name) LSEEK(fd, SARMAG, 0); while(read(fd, (char *)&h, sizeof(h)) == sizeof(h)){ for(i = SARNAME-1; i > 0 && h.name[i] == ' '; i--) - ; + ; h.name[i+1]=0; if(strcmp(member, h.name) == 0){ t = SARNAME-sizeof(h); /* ughgghh */ @@ -118,6 +118,18 @@ atouch(char *name) close(fd); } +static int +allspaces(char *a, int n) +{ + int i; + for (i = 0; i < n; i++) { + if (a[i] != ' ') { + return 0; + } + } + return 1; +} + static void atimes(char *ar) { @@ -151,11 +163,13 @@ atimes(char *ar) if(readn(fd, name, namelen) != namelen) break; name[namelen] = 0; - }else if(memcmp(h.name, "// ", 2) == 0){ /* GNU */ + }else if(memcmp(h.name, "// ", 3) == 0){ /* GNU */ /* date, uid, gid, mode all ' ' */ - for(i=2; i<16+12+6+6+8; i++) - if(h.name[i] != ' ') - goto skip; + if(!allspaces(&h.name[3], sizeof(h.name) - 3) || + !allspaces(h.date, sizeof(h.date)) || !allspaces(h.uid, sizeof(h.uid)) || + !allspaces(h.gid, sizeof(h.gid)) || !allspaces(h.mode, sizeof(h.mode))){ + goto skip; + } t = atol(h.size); if(t&01) t++; @@ -189,7 +203,7 @@ atimes(char *ar) }else{ strncpy(name, h.name, sizeof(h.name)); for(i = sizeof(h.name)-1; i > 0 && name[i] == ' '; i--) - ; + ; if(name[i] == '/') /* system V bug */ i--; name[i+1]=0; |