[Chicken-hackers] [PATCH] [SECURITY] Fix buffer overrun in string-translate*

[Peter Bex]

Hello everyone,

I decided to run a "make check" with the Address Sanitizer in gcc turned
on (libasan, -fsanitize=address) after a colleague told me about this
(hi, Lekensteyn!) and this found a bug in string-translate* which is very
similar to the bug we recently found in substring-index: it would start
scanning the provided string from each index, completely disregarding the
length of the source string in the map.

This is a very tricky bug to detect manually, because memcmp will stop
scanning as soon as it hits a different byte, which means that it would
scan at most one byte in the overwhelmingly common case, but occasionally
it would scan more than the one byte.

The attached patch fixes the bug by checking the lengths of the strings
and simply avoids calling C_substring_compare if the searched-for string
is larger than the remaining part of the argument string at index.
I've also added a few basic tests, just in case; I was unsuccessful in
crafting a test that would trigger an error or segfault in unpatched
CHICKENs, due to the aforementioned situation of memcmp stopping early.

I think this patch should go into all 3 active branches (master,
prerelease and chicken-5).  Once applied, I'll send out an announcement
and request a CVE, as usual.

Cheers,
Peter

0001-Fix-potential-buffer-overrun-error-in-string-transla.patch
Description: Text Data

signature.asc
Description: Digital signature