Reimplementation of function at 0x80bb148 that prevents overflowing the destination buffer#104
Merged
Merged
Conversation
…he destination buffer. - Adds symbol FUN_80bb148 using objcopy --add-symbol - Adds it to undefine.lst so it can be replaced - Replaces it with a function that stops copying if the destination buffer is full. The size is determined based on the calling function.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #103
This replaces the vulnerable function with a version that aborts the copy if the destination buffer is full.
Adding destination length checks within
process_fmt()/fmt_cell_combine()isn't enough, because the vulnerable function can apply a form of run-length decoding based on the values in the source buffer (usingmemdup()). This can cause the destination buffer to expand beyond the size of the source buffer. The proof-of-concept exploit does this to overflow a 1024-byte buffer with a 38-byte file.Replacing a function without a symbol was a bit tricky (and I'm not sure if this is the best way to handle it) but it seems to work and all of the tests pass. I won't be offended if you decide to go with an entirely different approach!