Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
Comment: | Resolved invalid memory write in --args FILE handling when FILE contains embedded NULs, as reported in forum post 7b34eecc1b8cf5d2. Cause: mismatch between --args expansion's own line counting vs blob_line() counting. All bytes after the first embedded NUL are now effectively ignored. |
---|---|
Downloads: | Tarball | ZIP archive | SQL archive |
Timelines: | family | ancestors | descendants | both | trunk |
Files: | files | file ages | folders |
SHA3-256: |
e120c2a9a7278cbc48be7f20110799c9 |
User & Date: | stephan 2021-08-05 11:55:07 |
Context
2021-08-05
| ||
17:06 | Minor doc fix for previous commit. No code changes. ... (check-in: 04a9e74a user: stephan tags: trunk) | |
11:55 | Resolved invalid memory write in --args FILE handling when FILE contains embedded NULs, as reported in forum post 7b34eecc1b8cf5d2. Cause: mismatch between --args expansion's own line counting vs blob_line() counting. All bytes after the first embedded NUL are now effectively ignored. ... (check-in: e120c2a9 user: stephan tags: trunk) | |
2021-08-02
| ||
10:09 | Typo fix in previous ... (check-in: e3066ede user: wyoung tags: trunk) | |
Changes
Changes to src/main.c.
︙ | ︙ | |||
471 472 473 474 475 476 477 | for(k=0, nLine=1; z[k]; k++) if( z[k]=='\n' ) nLine++; if( nLine>100000000 ) fossil_fatal("too many command-line arguments"); nArg = g.argc + nLine*2; newArgv = fossil_malloc( sizeof(char*)*nArg ); for(j=0; j<i; j++) newArgv[j] = g.argv[j]; blob_rewind(&file); | | > > > > > > | 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 | for(k=0, nLine=1; z[k]; k++) if( z[k]=='\n' ) nLine++; if( nLine>100000000 ) fossil_fatal("too many command-line arguments"); nArg = g.argc + nLine*2; newArgv = fossil_malloc( sizeof(char*)*nArg ); for(j=0; j<i; j++) newArgv[j] = g.argv[j]; blob_rewind(&file); while( nLine-->0 && (n = blob_line(&file, &line))>0 ){ /* Reminder: ^^^ nLine check avoids that embedded NUL bytes in the ** --args file causes nLine to be less than blob_line() will end ** up reporting in that case, which leads to an memory illegal ** write. See forum post ** https://fossil-scm.org/forum/forumpost/7b34eecc1b8c for ** details */ if( n<1 ){ /* Reminder: corner-case: a line with 1 byte and no newline. */ continue; } z = blob_buffer(&line); if('\n'==z[n-1]){ z[n-1] = 0; |
︙ | ︙ |