[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug-patch] integer overflow and out of bounds memory access

From: Tobias Stoeckmann
Subject: [bug-patch] integer overflow and out of bounds memory access
Date: Tue, 25 Nov 2014 17:19:54 +0100


as discovered for OpenBSD's patch, GNU patch also suffers from
integer overflows, which can lead to arbitrary memory access.

This file will trigger out of boundary memory access:
$ cat a.diff
--- a   Sat Nov 15 00:25:29 2014
+++ b   Sat Nov 15 00:06:50 2014
@@ -1,9223372036854775807 +1,9223372036854775807 @@
$ touch a
$ patch a a.diff

So what's wrong?

Look at line 1666 in pch.c:
p_max = p_ptrn_lines + p_repl_lines + 1;

p_max will overflow to -1 due to our modified (and invalid) diff,
therefore no memory will be allocated. -1 is definitely smaller than

Later on, line 1671:
filldst = fillsrc + p_ptrn_lines;

We assign an invalid number into filldist, which gets referenced in
line 1685:
p_len[filldst] = strlen (buf);

Therefore, we write data into a memory chunk that most likely does not
belong to us. For this example, filldst would be -9223372036854775808.

You can find my proposed diff for OpenBSD here:

I know about the license issues that could step in:  I am definitely
fine if you take these changes and incooperate them into your GPL code.
Otherwise... Take it as input for an own solution. ;)


reply via email to

[Prev in Thread] Current Thread [Next in Thread]