diff options
author | Tobias Stoeckmann <tobias@stoeckmann.org> | 2020-06-07 19:56:43 +0200 |
---|---|---|
committer | Tobias Stoeckmann <tobias@stoeckmann.org> | 2020-06-07 20:01:14 +0200 |
commit | 9c51a2829f65ea03ef87376ca9561037d9262f6d (patch) | |
tree | a59efbd7125d79334f7e9f86bf08fbbb78f868ab | |
parent | c281cadb06657c2a15a52598be6cf9c30fad1b12 (diff) |
Fix out of boundary read.
If a binary file which starts with 0x00 is edited, xrdb performs
an off-by-one read outside of its buffer.
The fix is simple: Do not try to append an empty string to buffer,
which would be a no-op anyway.
Proof of Concept (compile with -fsanitize=address):
$ dd if=/dev/zero bs=1 count=1 of=poc.txt
$ xrdb -edit poc.txt
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
-rw-r--r-- | xrdb.c | 2 |
1 files changed, 2 insertions, 0 deletions
@@ -745,6 +745,8 @@ EditFile(Entries *new, FILE *in, FILE *out) buff[0] = '\0'; if (!fgets(buff, BUFSIZ, in)) goto cleanup; + if (buff[0] == '\0') + continue; AppendToBuffer(&b, buff, strlen(buff)); c = &b.buff[b.used - 1]; if ((*(c--) == '\n') && (b.used == 1 || *c != '\\')) |