Menu
▾
▴
[Ming-cvs] [libming/libming] 8dd118: Fix null pointer dereference in getName/getString
|
From: GitHub <no...@gi...> - 2018-05-20 05:49:26
|
Branch: refs/heads/master Home: https://github.com/libming/libming Commit: 8dd118eac8a3c93c2f42089e7af4d7bb8cefd0b3 https://github.com/libming/libming/commit/8dd118eac8a3c93c2f42089e7af4d7bb8cefd0b3 Author: Hugo Lefeuvre <hl...@de...> Date: 2018-05-20 (Sun, 20 May 2018) Changed paths: M NEWS M util/decompile.c Log Message: ----------- Fix null pointer dereference in getName/getString Whenever getString or getName are called with an act such that act->p.String is a NULL pointer, a NULL pointer dereference might happen (strlen(act->p.string) is called). In this commit we add checks at the beginning of the PUSH_STRING block so that a warning is displayed and an empty string is returned in this case. This patch fixes #121. Commit: 30170828f1e8e4dff95af6e319b4ad59e64796d9 https://github.com/libming/libming/commit/30170828f1e8e4dff95af6e319b4ad59e64796d9 Author: Hugo Lefeuvre <hl...@de...> Date: 2018-05-20 (Sun, 20 May 2018) Changed paths: M NEWS M util/decompile.c Log Message: ----------- Fix heap-buffer-overflow in getString getString is allocating a 4-bytes buffer to store an 'R' and an 8-bit number. t=malloc(4); /* Rdd */ sprintf(t,"R%d", act->p.RegisterNumber ); return t; Since up to three digits can be required to store the 8-bit number, the buffer has to be 5 bytes long. In this commit we also fix the PUSH_DOUBLE case by dynamically computing the required buffer size. This commit fixes #116 (CVE-2018-7867). Commit: 6f1ab314684423be5c8bf29c73f65fadfbe71382 https://github.com/libming/libming/commit/6f1ab314684423be5c8bf29c73f65fadfbe71382 Author: Hugo Lefeuvre <hl...@de...> Date: 2018-05-20 (Sun, 20 May 2018) Changed paths: M NEWS M util/decompile.c Log Message: ----------- Perform deep copy in pushdup (instead of shallow) Until now, the element duplication in pushdup was performed via t->val = Stack->val. While this is perfectly fine for integer/double/register values, this may create nasty, hard to debug issues with Strings. In fact, when called with a String at the top of the stack, pushdup would only push *a reference* to the same String element (shallow copy), later allowing to modify several stack elements at once, which may potentially lead to NULL pointer dereferences or any other unspecified impact. In this patch we implement deep copy in pushdup: * If the type of the stack element is 's' (for String), we allocate a new buffer and copy the String into it. * Otherwise we simply proceed as before, that is we do t->val = Stack->val which is perfectly fine since we are not dealing with pointers. This patch is the last part of the patch for #121 (fixes #121), which should now be completely fixed. Compare: https://github.com/libming/libming/compare/50e2bf750fd8...6f1ab3146844 **NOTE:** This service been marked for deprecation: https://developer.github.com/changes/2018-04-25-github-services-deprecation/ Functionality will be removed from GitHub.com on January 31st, 2019. |
