[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Chicken-hackers] [PATCH] Bound read-u8vector! to dest vector's size whe
From: |
Evan Hanson |
Subject: |
[Chicken-hackers] [PATCH] Bound read-u8vector! to dest vector's size when no length is given |
Date: |
Sat, 17 May 2014 20:41:15 -0700 |
User-agent: |
OpenSMTPD enqueuer (Demoosh) |
Hi hackers,
I believe issue #1124[1] is due to a missing bounds check in
`read-u8vector!`.
Currently, its read size is bounded according to the destination
u8vector's size when a length argument is given, but not when false is
passed for the length instead, leading to a possible buffer overrun. The
attached patch ensures this check is performed for both cases.
This problem (and the fix) is nearly identical to one that was found and
fixed in `read-string!` last year[2], via cd1b977. The patch doesn't
update NEWS yet since, as with CVE-2013-4385, this has security
implications and I think it should be included in the stable release as
well.
[1]: https://bugs.call-cc.org/ticket/1124
[2]:
https://lists.nongnu.org/archive/html/chicken-announce/2013-09/msg00000.html
Evan
0001-Bound-read-u8vector-to-dest-vector-s-size-when-no-le.patch
Description: Text document
- [Chicken-hackers] [PATCH] Bound read-u8vector! to dest vector's size when no length is given,
Evan Hanson <=