Created attachment 1522325 [details] patch Description of problem: An issue was discovered in pspp 1.2.0. There is a buffer overflow at function text_parse_counted_string. Version-Release number of selected component (if applicable): pspp 1.2.0, pspp-dump-sav How reproducible: Steps to Reproduce: 1.compile pspp with asan 2.run 'pspp-dump-sav -data poc' Actual results: buffer overflow Expected results: trash it Additional info: In Struct text_record, the pos of the buffer must be below it`s size. ```c struct text_record { struct sfm_reader *reader; /* Reader. */ char *buffer; /* Record contents. */ size_t size; /* Size of buffer. */ size_t pos; /* Current position in buffer. */ }; ``` In function text_parse_counted_string, 'pos' > 'size' ```c In file: /home/pwd/fuzz/fuzz-pspp/pspp-1.2.0/utilities/pspp-dump-sav.c 1452 size_t start; 1453 size_t n; 1454 char *s; 1455 1456 start = text->pos; ► 1457 n = 0; 1458 while (isdigit ((unsigned char) text->buffer[text->pos])) 1459 n = (n * 10) + (text->buffer[text->pos++] - '0'); 1460 if (start == text->pos) 1461 { 1462 sys_error (text->reader, "expecting digit at offset %zu in record", /* pwndbg> p *text $1 = { reader = 0x7fffffffd520, buffer = 0x607000000020 "VAR00001", size = 71, pos = 72 } */ ```
pspp-1.2.0-2.fc30 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-6dcb6b21de
pspp-1.2.0-2.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-817ff2201f
pspp-1.2.0-2.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-6dcb6b21de
pspp-1.2.0-2.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-817ff2201f
pspp-1.2.0-2.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.
pspp-1.2.0-2.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.