Commit a134b62
committed
sljit/protexec: fix out-of-bounds stack write
In create_tempfile() we look for a suitable place to put the temporary
file into and, among others, look at $TMPDIR. If the value of this
environment variable exceeds the bounds of the local tmp_name[] buffer,
we ignore it. However, we still change the value of 'tmp_name_len' which
leads to follow-up errors.
On debug builds this can lead to hitting the assertion as can be seen
below:
$ TMPDIR=$(perl -e 'print "A"x1024') ./bin/array_access
Assertion failed at sljit_src/sljitProtExecAllocator.c:147
Aborted
For non-debug builds, however, this can lead to a memory corruption, by
abusing the fact that we change a trailing '/' to '\0' later on. With a
sufficiently high enough value for 'tmp_name_len' this can corrupt stack
frames up in the call chain.
Fix this by setting 'tmp_name_len' only if value it is based on is found
to be valid -- just like it was prior to commit 98323bd82218.
Fixes: 98323bd82218 ("protexec: refactor create_tempfile() (#37)")
Signed-off-by: Mathias Krause <[email protected]>1 parent b73b334 commit a134b62
1 file changed
+10
-5
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
107 | 107 | | |
108 | 108 | | |
109 | 109 | | |
| 110 | + | |
110 | 111 | | |
111 | 112 | | |
112 | 113 | | |
| |||
125 | 126 | | |
126 | 127 | | |
127 | 128 | | |
128 | | - | |
129 | | - | |
130 | | - | |
| 129 | + | |
| 130 | + | |
| 131 | + | |
131 | 132 | | |
| 133 | + | |
| 134 | + | |
132 | 135 | | |
133 | 136 | | |
134 | 137 | | |
135 | 138 | | |
136 | 139 | | |
137 | | - | |
138 | | - | |
| 140 | + | |
| 141 | + | |
139 | 142 | | |
| 143 | + | |
| 144 | + | |
140 | 145 | | |
141 | 146 | | |
142 | 147 | | |
| |||
0 commit comments