Possible Memcpy and write out of bounds error in Wordsplit.

bug-tar

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Possible Memcpy and write out of bounds error in Wordsplit.

From:	Kenneth Salt
Subject:	Possible Memcpy and write out of bounds error in Wordsplit.
Date:	Wed, 1 Nov 2023 18:16:38 -0300

tar.1.35 has a heap buffer overflow vulnerability when splitting words through the wordsplit library.

reproduction case: ./tar1.35 --group-map=<(python3 -c 'print("\x27\x27\x3f\x3f"+"A"*4035)')
The changes in coalesce_segment from 1.34 to 1.35 do a memcpy into a length one buffer without checking boundaries. Untested on different codepaths that use wordsplit, in the above example eventually ws_node heap structure is overwritten.

Thanks
Kenneth

[Prev in Thread]

Current Thread

[Next in Thread]

Possible Memcpy and write out of bounds error in Wordsplit., Kenneth Salt <=
- Re: Possible Memcpy and write out of bounds error in Wordsplit., Paul Eggert, 2023/11/01

Next by Date: Re: Possible Memcpy and write out of bounds error in Wordsplit.
Next by thread: Re: Possible Memcpy and write out of bounds error in Wordsplit.
Index(es):
- Date
- Thread