Bug 1668144

Summary: An issue was discovered in pspp 1.2.0. There is a buffer overflow at function text_parse_counted_string.
Product: [Fedora] Fedora Reporter: seri0us <teamseri0us360>
Component: psppAssignee: Peter Lemenkov <lemenkov>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: amello, lemenkov
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: pspp-1.2.0-2.fc30 pspp-1.2.0-2.fc29 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-04-03 00:39:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
patch none

Description seri0us 2019-01-22 03:55:58 UTC 
Created attachment 1522325 [details]
patch

Description of problem:
An issue was discovered in pspp 1.2.0. There is a buffer overflow at function text_parse_counted_string.

Version-Release number of selected component (if applicable):
pspp 1.2.0, pspp-dump-sav

How reproducible:


Steps to Reproduce:
1.compile pspp with asan
2.run 'pspp-dump-sav -data poc'


Actual results:
buffer overflow

Expected results:
trash it 

Additional info:
In Struct text_record, the pos of the buffer must be below it`s size.

```c
struct text_record
  {
    struct sfm_reader *reader;  /* Reader. */
    char *buffer;               /* Record contents. */
    size_t size;                /* Size of buffer. */
    size_t pos;                 /* Current position in buffer. */
  };
```

In function text_parse_counted_string,
'pos' > 'size'

```c
In file: /home/pwd/fuzz/fuzz-pspp/pspp-1.2.0/utilities/pspp-dump-sav.c
   1452   size_t start;
   1453   size_t n;
   1454   char *s;
   1455 
   1456   start = text->pos;
 ► 1457   n = 0;
   1458   while (isdigit ((unsigned char) text->buffer[text->pos]))
   1459     n = (n * 10) + (text->buffer[text->pos++] - '0');
   1460   if (start == text->pos)
   1461     {
   1462       sys_error (text->reader, "expecting digit at offset %zu in record",
/*
pwndbg> p *text
$1 = {
  reader = 0x7fffffffd520, 
  buffer = 0x607000000020 "VAR00001", 
  size = 71, 
  pos = 72
}
*/
```
Comment 1 Fedora Update System 2019-03-28 11:43:34 UTC 
pspp-1.2.0-2.fc30 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-6dcb6b21de
Comment 2 Fedora Update System 2019-03-28 11:43:46 UTC 
pspp-1.2.0-2.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-817ff2201f
Comment 3 Fedora Update System 2019-03-29 00:12:53 UTC 
pspp-1.2.0-2.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-6dcb6b21de
Comment 4 Fedora Update System 2019-03-29 04:15:53 UTC 
pspp-1.2.0-2.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-817ff2201f
Comment 5 Fedora Update System 2019-04-03 00:39:18 UTC 
pspp-1.2.0-2.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2019-04-06 19:43:15 UTC 
pspp-1.2.0-2.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.