summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorJo-Philipp Wich <jo@mein.io>2022-03-14 14:40:18 +0100
committerJo-Philipp Wich <jo@mein.io>2022-03-14 14:40:18 +0100
commit73dcd7837023939063ad89681c8d4e7392a310fe (patch)
tree8d50b4e8856fdd992ab690cccad947873016a4db
parent8fd4746da31b945a6259ac846f7cf8dcfef0b1ef (diff)
lib: fix potential integer underflow on empty render output
The current `uc_render()` implementation uses a `fseek()` call on the `open_memstream()` provided `FILE *` stream to reserve headroom for the `uc_string_t` header. The `fseek()` call alone does not guarantee that the underlying buffer length is updated on all libc implementations though. This may lead to an integer underflow later on when the `uc_string_t` header length is substracted from the buffer length after invoking a template that did not produce any output write operations. In such a case, a very large value is assigned to `ustr->length` leading to uninitialized or out-of-bounds memory accesses later on. Solve this issue by writing the header structure as data using `fwrite()` which should yield the expected behaviour on all libc environments. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
-rw-r--r--lib.c5
1 files changed, 2 insertions, 3 deletions
diff --git a/lib.c b/lib.c
index dc48d84..f715484 100644
--- a/lib.c
+++ b/lib.c
@@ -2194,6 +2194,7 @@ uc_include(uc_vm_t *vm, size_t nargs)
static uc_value_t *
uc_render(uc_vm_t *vm, size_t nargs)
{
+ uc_string_t hdr = { .header = { .type = UC_STRING, .refcount = 1 } };
uc_string_t *ustr = NULL;
FILE *mem, *prev;
size_t len = 0;
@@ -2204,7 +2205,7 @@ uc_render(uc_vm_t *vm, size_t nargs)
goto out;
/* reserve space for uc_string_t header... */
- if (fseek(mem, sizeof(*ustr), SEEK_SET))
+ if (fwrite(&hdr, 1, sizeof(hdr), mem) != sizeof(hdr))
goto out;
/* divert VM output to memory fd */
@@ -2219,8 +2220,6 @@ uc_render(uc_vm_t *vm, size_t nargs)
fclose(mem);
/* update uc_string_t length */
- ustr->header.type = UC_STRING;
- ustr->header.refcount = 1;
ustr->length = len - sizeof(*ustr);
return &ustr->header;