From e0a6a1cb8474f69e5442ad77a173decbbb713900 Mon Sep 17 00:00:00 2001 From: leitner Date: Thu, 28 Jun 2007 21:00:40 +0000 Subject: [PATCH] try to catch malicious input in textcode fmt_* functions --- CHANGES | 1 + textcode/fmt_base64.c | 4 ++-- textcode/fmt_cescape.c | 2 ++ textcode/fmt_hexdump.c | 1 + textcode/fmt_html.c | 2 ++ textcode/fmt_ldapescape.c | 2 ++ textcode/fmt_quotedprintable.c | 2 ++ textcode/fmt_to_array.c | 3 ++- textcode/fmt_tofrom_array.c | 3 ++- textcode/fmt_urlencoded.c | 2 ++ textcode/fmt_uuencoded.c | 1 + textcode/fmt_yenc.c | 2 ++ 12 files changed, 21 insertions(+), 4 deletions(-) diff --git a/CHANGES b/CHANGES index c445e6e..e7b9e13 100644 --- a/CHANGES +++ b/CHANGES @@ -7,6 +7,7 @@ fmt_ip6 compresses at best spot, not at first spot (Nikola Vladov) use inttypes.h to declare ints in uint*.h escape more in fmt_ldapescape + try to catch malicious input in textcode fmt_* functions 0.25: array_allocate no longer truncates the array diff --git a/textcode/fmt_base64.c b/textcode/fmt_base64.c index cda07ec..47c53fe 100644 --- a/textcode/fmt_base64.c +++ b/textcode/fmt_base64.c @@ -5,8 +5,8 @@ size_t fmt_base64(char* dest,const char* src,size_t len) { register const unsigned char* s=(const unsigned char*) src; unsigned short bits=0,temp=0; - unsigned long written=0,i; - if (!dest) return ((len+2)/3)*4; + size_t written=0,i; + if (!dest) return (len>((size_t)-1)/2)?(size_t)-1:((len+2)/3)*4; for (i=0; i6) { diff --git a/textcode/fmt_cescape.c b/textcode/fmt_cescape.c index 4624344..6007de1 100644 --- a/textcode/fmt_cescape.c +++ b/textcode/fmt_cescape.c @@ -41,6 +41,8 @@ size_t fmt_cescape2(char* dest,const char* src,size_t len,const char* escapeme) } break; } + /* in case someone gives us malicious input */ + if (written>((size_t)-1)/2) return (size_t)-1; } return written; } diff --git a/textcode/fmt_hexdump.c b/textcode/fmt_hexdump.c index 289730f..5ecf5ce 100644 --- a/textcode/fmt_hexdump.c +++ b/textcode/fmt_hexdump.c @@ -6,6 +6,7 @@ size_t fmt_hexdump(char* dest,const char* src,size_t len) { register const unsigned char* s=(const unsigned char*) src; size_t written=0,i; + if (!dest) return (len>((size_t)-1)/2)?(size_t)-1:len*2; for (i=0; i>4); dest[written+1]=fmt_tohex(s[i]&15); diff --git a/textcode/fmt_html.c b/textcode/fmt_html.c index 2a2aecf..bd3e238 100644 --- a/textcode/fmt_html.c +++ b/textcode/fmt_html.c @@ -19,6 +19,8 @@ size_t fmt_html(char* dest,const char* src,size_t len) { break; default: if (dest) dest[written]=s[i]; ++written; break; } + /* in case someone gives us malicious input */ + if (written>((size_t)-1)/2) return (size_t)-1; } return written; } diff --git a/textcode/fmt_ldapescape.c b/textcode/fmt_ldapescape.c index e794b76..82820cd 100644 --- a/textcode/fmt_ldapescape.c +++ b/textcode/fmt_ldapescape.c @@ -18,6 +18,8 @@ size_t fmt_ldapescape(char* dest,const char* src,size_t len) { } else { if (dest) dest[written]=s[i]; ++written; } + /* in case someone gives us malicious input */ + if (written>((size_t)-1)/2) return (size_t)-1; } return written; } diff --git a/textcode/fmt_quotedprintable.c b/textcode/fmt_quotedprintable.c index 7bf156a..781c255 100644 --- a/textcode/fmt_quotedprintable.c +++ b/textcode/fmt_quotedprintable.c @@ -17,6 +17,8 @@ size_t fmt_quotedprintable2(char* dest,const char* src,size_t len,const char* es } else { if (dest) dest[written]=s[i]; ++written; } + /* in case someone gives us malicious input */ + if (written>((size_t)-1)/2) return (size_t)-1; } return written; } diff --git a/textcode/fmt_to_array.c b/textcode/fmt_to_array.c index 767eeb5..3853964 100644 --- a/textcode/fmt_to_array.c +++ b/textcode/fmt_to_array.c @@ -4,7 +4,8 @@ void fmt_to_array(size_t (*func)(char*,const char*,size_t), array* a,const char* src,size_t len) { size_t needed=func(0,src,len); - if (array_allocate(a,1,array_bytes(a)+needed-1)) { + if (array_bytes(a)+needed>needed && + array_allocate(a,1,array_bytes(a)+needed-1)) { char* x=((char*)array_start(a))+array_bytes(a)-needed; func(x,src,len); } else diff --git a/textcode/fmt_tofrom_array.c b/textcode/fmt_tofrom_array.c index e8956d2..9949ec3 100644 --- a/textcode/fmt_tofrom_array.c +++ b/textcode/fmt_tofrom_array.c @@ -7,7 +7,8 @@ void fmt_tofrom_array(size_t (*func)(char*,const char*,size_t), char* x; if (array_failed(dest) || array_failed(src)) { array_fail(dest); return; } needed=func(0,array_start(src),array_bytes(src)); - if (array_allocate(dest,1,array_bytes(dest)+needed-1)) { + if (array_bytes(dest)+needed>needed && + array_allocate(dest,1,array_bytes(dest)+needed-1)) { x=((char*)array_start(dest))+array_bytes(dest)-needed; func(x,array_start(src),array_bytes(src)); } else diff --git a/textcode/fmt_urlencoded.c b/textcode/fmt_urlencoded.c index 17dfd5e..5f42c77 100644 --- a/textcode/fmt_urlencoded.c +++ b/textcode/fmt_urlencoded.c @@ -25,6 +25,8 @@ size_t fmt_urlencoded2(char* dest,const char* src,size_t len,const char* escapem } else { if (dest) dest[written]=s[i]; ++written; } + /* in case someone gives us malicious input */ + if (written>((size_t)-1)/2) return (size_t)-1; } return written; } diff --git a/textcode/fmt_uuencoded.c b/textcode/fmt_uuencoded.c index c5b51cd..abf83f8 100644 --- a/textcode/fmt_uuencoded.c +++ b/textcode/fmt_uuencoded.c @@ -11,6 +11,7 @@ size_t fmt_uuencoded(char* dest,const char* src,size_t len) { register const unsigned char* s=(const unsigned char*) src; const char* orig=dest; size_t tmp; + if (!dest) return len>((size_t)-1)/2?(size_t)-1:(len+2)/3*4; while (len) { { register unsigned int diff; diff --git a/textcode/fmt_yenc.c b/textcode/fmt_yenc.c index c8ab224..066d190 100644 --- a/textcode/fmt_yenc.c +++ b/textcode/fmt_yenc.c @@ -33,6 +33,8 @@ dontescape: if (dest) dest[written]='\n'; ++written; linelen=0; } } + /* in case someone gives us malicious input */ + if (written>((size_t)-1)/2) return (size_t)-1; } if (linelen) { if (dest) dest[written]='\n'; ++written; linelen=0;