[Bug 284472] bspatch(1): still one "attack vector"
Date: Thu, 30 Jan 2025 20:33:30 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=284472
Bug ID: 284472
Summary: bspatch(1): still one "attack vector"
Product: Base System
Version: CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: bin
Assignee: bugs@FreeBSD.org
Reporter: steffen@sdaoden.eu
i had shared the following in private already, but since the code has not been
fixed i simply create a bug report.
<code>
|The problem is that at the end of the loop there is a
|
| /* Adjust pointers */
| - newpos+=ctrl[1];
| - oldpos+=ctrl[2];
| + newpos = add_off_t(newpos, ctrl[1]);
| + oldpos = add_off_t(oldpos, ctrl[2]);
|
|but before that we have
|
| /* Add old data to diff string */
| for (i = 0; i < ctrl[0]; i++)
| - if ((oldpos + i >= 0) && (oldpos + i < oldsize))
| + if (add_off_t(oldpos, i) < oldsize)
| new[newpos + i] += old[oldpos + i];
|
|of if ctrl[2] is only "negative enough" then in the next loop tick
|old will be accessed at a negative offset, i would think.
</code>
(I think analysis was right.)
btw i have created a "bsdipa" fork which is, i think, an iterated variant of
bsdiff/bspatch:
<code>
s-bsdipa (ZLIB; 0.5.3): create or apply binary difference patch
s-bsdipa [!]patch after patch restored
s-bsdipa [!]diff before after patch
s-bsdipa [!]xdiff before after patch
s-bsdipa [!]diff/VAL before after patch
The first uses "patch" to create "restored" from "after".
The latter create "patch" from the difference of "after" and "before";
they differ in the size of the "magic window": diff uses the built-in value,
xdiff uses 16, whereas diff/VAL expects a positive integer to be used instead.
An existing target is overwritten if the subcommand is prefixed with "!".
Some statistics are written on standard output.
. Patches use ZLIB compression.
</code>
Adding a zstd variant would be easy.
--
You are receiving this mail because:
You are the assignee for the bug.