Menu

#119 Fix buffer overflow in src/xspice/icm/digital/d_state/cfunc.mod

Unstable (example)
closed-accepted
Giles Atkinson
None
5
2024-11-25
2024-11-19
Artem Sinkevich
No

'fgets' on line 1369 can overflow the 'temp' buffer.

When reading a line containing only whitespace characters, 's' is incremented in the 'while' loop, but is not reset to 'temp' afterwards, as in the case of non-whitespace lines, so on the next iteration 'fgets' can overflow 'temp' by the number of whitespace characters in the previous line. Move 's = temp;' out of the 'if (*s != '\0')' to fix this.

Without this fix, segmentation fault can be achieved, for example, in the 'd_state.cir' test by adding ~200 whitespace characters to the 5th line of 'd_state-updn.txt'.

1 Attachments
d_state_cfunc_mod.patch

Discussion

  • Giles Atkinson

    Giles Atkinson - 2024-11-19
    • status: open --> pending
    • assigned_to: Giles Atkinson
     

  • Giles Atkinson

    Giles Atkinson - 2024-11-19

    I will take a look.

     

  • Giles Atkinson

    Giles Atkinson - 2024-11-25
    • status: pending --> closed-accepted
     

  • Giles Atkinson

    Giles Atkinson - 2024-11-25

    Many thanks!

    commit 10b3e3a560d9c4b568619ce40a0983ea826e3260
    Author: Giles Atkinson “gatk555@gmail.com”
    Date: Wed Nov 20 21:42:23 2024 +0000

    Apply Patch #119 -
    "Fix buffer overflow in src/xspice/icm/digital/d_state/cfunc.mod".
The change is not identical to the supplied patch. It was slightly
modified to make the original code more sane.
Found and patched by Artem Sinkevich.
     

Log in to post a comment.

Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.