Login
Log in using an SSO provider:
Fedora Account System
Red Hat Associate
Red Hat Customer
Login using a Red Hat Bugzilla account
Forgot Password
Create an Account
Red Hat Bugzilla – Attachment 355146 Details for
Bug 513764
[PATCH] Fix stack smashing in variable expansion
Home
New
Search
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh92 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
[?]
This site requires JavaScript to be enabled to function correctly, please enable it.
Fix stack smashing in variable expansion
jam-2.5-overflow.patch (text/plain), 2.75 KB, created by
Lubomir Rintel
on 2009-07-25 14:09:37 UTC
(
hide
)
Description:
Fix stack smashing in variable expansion
Filename:
MIME Type:
Creator:
Lubomir Rintel
Created:
2009-07-25 14:09:37 UTC
Size:
2.75 KB
patch
obsolete
>From: Lubomir Rintel <lkundrak@v3.sk> >Subject: [PATCH] Fix stack smashing in variable expansion > >Apparently, Fedora's compiler flags were too long for jam's mind, >resulting in out-of-bounds write on stack. This patch increases length >of variable expansion buffer (and filename buffer, just in case) as >well as adds checks for buffer overflows in some places. > >diff -up jam-2.5/expand.c.overflow jam-2.5/expand.c >--- jam-2.5/expand.c.overflow 2003-04-23 06:45:50.000000000 +0200 >+++ jam-2.5/expand.c 2009-07-25 15:59:30.319767119 +0200 >@@ -27,6 +27,7 @@ > * 10/22/02 (seiwald) - list_new() now does its own newstr()/copystr() > * 11/04/02 (seiwald) - const-ing for string literals > * 12/30/02 (armstrong) - fix out-of-bounds access in var_expand() >+ * 25/07/09 (lkundrak@v3.sk) - fix stack overflows in var_expand() > */ > > # include "jam.h" >@@ -283,8 +284,14 @@ var_expand( > > if( colon && edits.filemods ) > var_edit_file( value->string, out, &edits ); >- else >+ else { >+ if( out + strlen( value->string ) > out_buf + sizeof( out_buf ) ) { >+ fprintf( stderr, "ERROR: String longer than %i characters: '%s' + '%s'\n", >+ sizeof( out_buf ), out, value->string ); >+ exit( 1 ); >+ } > strcpy( out, value->string ); >+ } > > if( colon && ( edits.upshift || edits.downshift ) ) > var_edit_shift( out, &edits ); >@@ -298,6 +305,11 @@ var_expand( > ( list_next( value ) || list_next( vars ) ) ) > { > out += strlen( out ); >+ if( out + strlen( edits.join.ptr ) > out_buf + sizeof( out_buf ) ) { >+ fprintf( stderr, "ERROR: String longer than %i characters: '%s' + '%s'\n", >+ sizeof( out_buf ), out, edits.join.ptr ); >+ exit( 1 ); >+ } > strcpy( out, edits.join.ptr ); > out += strlen( out ); > continue; >@@ -320,6 +332,11 @@ var_expand( > > for( rem = remainder; rem; rem = list_next( rem ) ) > { >+ if( out1 + strlen( rem->string ) > out_buf + sizeof( out_buf ) ) { >+ fprintf( stderr, "ERROR: String longer than %i characters: '%s' + '%s'\n", >+ sizeof( out_buf ), out, rem->string ); >+ exit( 1 ); >+ } > strcpy( out1, rem->string ); > l = list_new( l, out_buf, 0 ); > } >diff -up jam-2.5/jam.h.overflow jam-2.5/jam.h >--- jam-2.5/jam.h.overflow 2004-06-23 19:45:36.000000000 +0200 >+++ jam-2.5/jam.h 2009-07-25 15:59:35.464767132 +0200 >@@ -472,8 +472,12 @@ > > /* You probably don't need to muck with these. */ > >-# define MAXSYM 1024 /* longest symbol in the environment */ >-# define MAXJPATH 1024 /* longest filename */ >+# define MAXSYM 65536 /* longest symbol in the environment */ >+# ifdef PATH_MAX >+# define MAXJPATH PATH_MAX /* longest filename */ >+# else >+# define MAXJPATH 4096 >+# endif > > # define MAXJOBS 64 /* silently enforce -j limit */ > # define MAXARGC 32 /* words in $(JAMSHELL) */
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=355146">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 513764
: 355146