Hi,
we discovered a bug which can cause Segmentation Fault.
It
happens when xorriso with parameter -setfacl is given a file with too
many users for one file. It is caused by leaving a cursor-pointer inside
reallocated memory.
Exploitation:
* run the script (it wil create a directory with test files)
* run command:
xorriso -outdev out.img -map . / -setfacl_list Test_dir/File_with_users
Cause:
When
reallocating in xorriso/opts_p_z.c on line 927, the pointer wpt is left
on the old position which is now outside allocated memory.
Fix:
Save where in the old memory was wpt and after realloc move it to the same position according to buf pointer.
Next
add a function that controls the overrun when sprinting access_acl_text
into xorriso->info_text (buffer could be huge). If the printed
string was too big to fit into xorriso->info_text, the function adds
at the end message that the string was truncated.
test_script
libisoburn_invalid_pointer_after_realloc.patch