Projects
openEuler:20.03:LTS:SP3
busybox
_service:tar_scm_kernel_repo:backport-CVE-2022-...
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File _service:tar_scm_kernel_repo:backport-CVE-2022-48174.patch of Package busybox
From a4bf2a7c172517c95d79f77701797a59b1ea3aa6 Mon Sep 17 00:00:00 2001 From: songbuhuang <544824346@qq.com> Date: Thu, 31 Aug 2023 11:57:41 +0800 Subject: [PATCH] fix CVE-2022-48174 Signed-off-by: songbuhuang <544824346@qq.com> --- shell/math.c | 39 +++++++++++++++++++++++++++++++++++---- 1 file changed, 35 insertions(+), 4 deletions(-) diff --git a/shell/math.c b/shell/math.c index af1ab55..79824e8 100644 --- a/shell/math.c +++ b/shell/math.c @@ -578,6 +578,28 @@ static arith_t strto_arith_t(const char *nptr, char **endptr) # endif #endif +//TODO: much better estimation than expr_len/2? Such as: +//static unsigned estimate_nums_and_names(const char *expr) +//{ +// unsigned count = 0; +// while (*(expr = skip_whitespace(expr)) != '\0') { +// const char *p; +// if (isdigit(*expr)) { +// while (isdigit(*++expr)) +// continue; +// count++; +// continue; +// } +// p = endofname(expr); +// if (p != expr) { +// expr = p; +// count++; +// continue; +// } +// } +// return count; +//} + static arith_t FAST_FUNC evaluate_string(arith_state_t *math_state, const char *expr) { @@ -585,10 +607,12 @@ evaluate_string(arith_state_t *math_state, const char *expr) const char *errmsg; const char *start_expr = expr = skip_whitespace(expr); unsigned expr_len = strlen(expr) + 2; - /* Stack of integers */ - /* The proof that there can be no more than strlen(startbuf)/2+1 - * integers in any given correct or incorrect expression - * is left as an exercise to the reader. */ + /* Stack of integers/names */ + /* There can be no more than strlen(startbuf)/2+1 + * integers/names in any given correct or incorrect expression. + * (modulo "09v09v09v09v09v" case, + * but we have code to detect that early) + */ var_or_num_t *const numstack = alloca((expr_len / 2) * sizeof(numstack[0])); var_or_num_t *numstackptr = numstack; /* Stack of operator tokens */ @@ -657,6 +681,13 @@ evaluate_string(arith_state_t *math_state, const char *expr) numstackptr->var = NULL; errno = 0; numstackptr->val = strto_arith_t(expr, (char**) &expr); + /* A number can't be followed by another number, or a variable name. + * We'd catch this later anyway, but this would require numstack[] + * to be twice as deep to handle strings where _every_ char is + * a new number or name. Example: 09v09v09v09v09v09v09v09v09v + */ + if (isalnum(*expr) || *expr == '_') + goto err; if (errno) numstackptr->val = 0; /* bash compat */ goto num; -- 2.26.2
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.