[Rpm-maint] [rpm-software-management/rpm] Avoid a pointer overflow in dataLength() (#1608)
Demi Marie Obenour
notifications at github.com
Fri Mar 26 15:01:52 UTC 2021
This is not a problem on GCC with `-fno-strict-overflow`, at least on 64-bit systems. However, there are several reasons I would like to get this in:
1. It makes the code easier to review. With the code as written, I need to do additional mental work to determine that it is not exploitable. With the modified version, it is obvious.
2. The current code does not conform to the C99 standard. The C99 standard explicitly states that creating an out-of-bounds pointer (except one past the end) is undefined behavior.
3. It allows fuzzing with `-fsanitize-address,pointer-compare` to proceed past this section of code. Such fuzzing already led to one long-standing bug being fixed (#580, fixed by #1606).
I have a test case, which I will be including as part of a separate PR for a fuzz harness, as it is part of the fuzz corpus. I can split it into a separate test if desired.
You can view, comment on, or merge this pull request online at:
https://github.com/rpm-software-management/rpm/pull/1608
-- Commit Summary --
* Avoid a pointer overflow in dataLength()
-- File Changes --
M lib/header.c (2)
-- Patch Links --
https://github.com/rpm-software-management/rpm/pull/1608.patch
https://github.com/rpm-software-management/rpm/pull/1608.diff
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/1608
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20210326/5c8e09c4/attachment.html>
More information about the Rpm-maint
mailing list