git: 1a2f06d0f290 - main - vis(3): avoid out-of-bounds stack buffer reads
Alex Richardson
arichardson at FreeBSD.org
Wed Jun 16 16:21:03 UTC 2021
The branch main has been updated by arichardson:
URL: https://cgit.FreeBSD.org/src/commit/?id=1a2f06d0f2905c9a18340b377cbbe772f2ca6844
commit 1a2f06d0f2905c9a18340b377cbbe772f2ca6844
Author: Alex Richardson <arichardson at FreeBSD.org>
AuthorDate: 2021-06-16 15:27:13 +0000
Commit: Alex Richardson <arichardson at FreeBSD.org>
CommitDate: 2021-06-16 15:27:13 +0000
vis(3): avoid out-of-bounds stack buffer reads
I found this while running kdump(1) on a CheriBSD system due to a
capability length violation when printing the /etc/libmap.conf read()
system call: it crashed immediately after printing the first line.
Found by: CHERI
Reviewed By: jhb
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D30771
---
contrib/libc-vis/vis.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/contrib/libc-vis/vis.c b/contrib/libc-vis/vis.c
index 21c07b70619d..c43186a44b51 100644
--- a/contrib/libc-vis/vis.c
+++ b/contrib/libc-vis/vis.c
@@ -465,7 +465,8 @@ istrsenvisx(char **mbdstp, size_t *dlen, const char *mbsrc, size_t mblength,
while (mbslength > 0) {
/* Convert one multibyte character to wchar_t. */
if (!cerr)
- clen = mbrtowc(src, mbsrc, MB_LEN_MAX, &mbstate);
+ clen = mbrtowc(src, mbsrc, MIN(mbslength, MB_LEN_MAX),
+ &mbstate);
if (cerr || clen < 0) {
/* Conversion error, process as a byte instead. */
*src = (wint_t)(u_char)*mbsrc;
More information about the dev-commits-src-main
mailing list