#9 global-buffer-overflow in init_commands() in commands.c

[Nguyen Le Quoc Anh]

I found a vulnerable in init_commands() in commands.c:
It's a buffer overflow.

void init_commands(void) {
  char *editor;
  editor = getenv(EDITOR_VARIABLE);
  if (editor != NIL)
    strcpy(editname, editor); // You should check input length here!
  else {
    strcpy(editname, DEFAULT_EDITOR);
  }
}

You should check input length before copy or using strncpy() instead of strcpy().

==22221==ERROR: AddressSanitizer: global-buffer-overflow on address 0x559947733374 at pc 0x7f4ba38993a6 bp 0x7ffd90f5ab00 sp 0x7ffd90f5a2a8
WRITE of size 26 at 0x559947733374 thread T0
    #0 0x7f4ba38993a5  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x663a5)
    #1 0x5599473a45e8 in init2 src/brandy.c:156
    #2 0x5599473a45e8 in main src/brandy.c:70
    #3 0x7f4ba2e2db96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #4 0x5599473a5369 in _start (/bin/brandy+0x21369)

0x559947733374 is located 44 bytes to the left of global variable 'lastaddr' defined in 'src/commands.c:53:14' (0x5599477333a0) of size 4
0x559947733374 is located 0 bytes to the right of global variable 'editname' defined in 'src/commands.c:55:13' (0x559947733360) of size 20
SUMMARY: AddressSanitizer: global-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x663a5) 
Shadow bytes around the buggy address:
  0x0ab3a8ede610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ab3a8ede620: 00 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9
  0x0ab3a8ede630: f9 f9 f9 f9 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9
  0x0ab3a8ede640: 00 00 00 00 01 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
  0x0ab3a8ede650: f9 f9 f9 f9 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9
=>0x0ab3a8ede660: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00[04]f9
  0x0ab3a8ede670: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x0ab3a8ede680: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
  0x0ab3a8ede690: 00 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
  0x0ab3a8ede6a0: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x0ab3a8ede6b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==22221==ABORTING

[Michael McConnell]

Fixed downstream on the Matrix Brandy fork.