chicken-hackers
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Chicken-hackers] [PATCH] Bound read-u8vector! to dest vector's size whe


From: Evan Hanson
Subject: [Chicken-hackers] [PATCH] Bound read-u8vector! to dest vector's size when no length is given
Date: Sat, 17 May 2014 20:41:15 -0700
User-agent: OpenSMTPD enqueuer (Demoosh)

Hi hackers,

I believe issue #1124[1] is due to a missing bounds check in
`read-u8vector!`.

Currently, its read size is bounded according to the destination
u8vector's size when a length argument is given, but not when false is
passed for the length instead, leading to a possible buffer overrun. The
attached patch ensures this check is performed for both cases.

This problem (and the fix) is nearly identical to one that was found and
fixed in `read-string!` last year[2], via cd1b977. The patch doesn't
update NEWS yet since, as with CVE-2013-4385, this has security
implications and I think it should be included in the stable release as
well.

[1]: https://bugs.call-cc.org/ticket/1124
[2]: 
https://lists.nongnu.org/archive/html/chicken-announce/2013-09/msg00000.html

Evan

Attachment: 0001-Bound-read-u8vector-to-dest-vector-s-size-when-no-le.patch
Description: Text document


reply via email to

[Prev in Thread] Current Thread [Next in Thread]