42 lines
1.4 KiB
Diff
42 lines
1.4 KiB
Diff
From 6d6fae79e016629b6c896463f62e7b1a6e651ed6 Mon Sep 17 00:00:00 2001
|
|
From: liningjie <liningjie@xfusion.com>
|
|
Date: Thu, 24 Aug 2023 11:36:22 +0800
|
|
Subject: [PATCH] Bug #706494 "Buffer Overflow in s_xBCPE_process"
|
|
|
|
As described in detail in the bug report, if the write buffer is filled
|
|
to one byte less than full, and we then try to write an escaped
|
|
character, we overrun the buffer because we don't check before
|
|
writing two bytes to it.
|
|
|
|
This just checks if we have two bytes before starting to write an
|
|
escaped character and exits if we don't (replacing the consumed byte
|
|
of the input).
|
|
|
|
Up for further discussion; why do we even permit a BCP encoding filter
|
|
anyway ? I think we should remove this, at least when SAFER is true.
|
|
---
|
|
base/sbcp.c | 8 ++++++++
|
|
1 file changed, 8 insertions(+)
|
|
|
|
diff --git a/base/sbcp.c b/base/sbcp.c
|
|
index 6b0383c..3b8970f 100644
|
|
--- a/base/sbcp.c
|
|
+++ b/base/sbcp.c
|
|
@@ -50,6 +50,14 @@ s_xBCPE_process(stream_state * st, stream_cursor_read * pr,
|
|
byte ch = *++p;
|
|
|
|
if (ch <= 31 && escaped[ch]) {
|
|
+ /* Make sure we have space to store two characters in the write buffer,
|
|
+ * if we don't then exit without consuming the input character, we'll process
|
|
+ * that on the next time round.
|
|
+ */
|
|
+ if (pw->limit - q < 2) {
|
|
+ p--;
|
|
+ break;
|
|
+ }
|
|
if (p == rlimit) {
|
|
p--;
|
|
break;
|
|
--
|
|
2.27.0
|