[PATCH] Fix OOB read in do_vsexp_sscan when newline+EOF is found in escape sequence
Filippo Valsorda
hi at filippo.io
Tue May 5 22:21:45 CEST 2015
The check for the available bytes performed before doing the look-ahead
was
off by one, causing a out of bound read. Example input: 22 5c 0a |"\.|
Found with afl-fuzz and ASAN.
Signed-off-by: Filippo Valsorda <hi at filippo.io>
---
src/sexp.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/sexp.c b/src/sexp.c
index 9bc13ca..3d8fcf3 100644
--- a/src/sexp.c
+++ b/src/sexp.c
@@ -1239,7 +1239,7 @@ do_vsexp_sscan (gcry_sexp_t *retsexp, size_t
*erroff,
case '\r':
/* ignore CR[,LF] */
- if (n && (p[1] == '\n'))
+ if ((n > 1) && (p[1] == '\n'))
{
p++;
n--;
@@ -1249,7 +1249,7 @@ do_vsexp_sscan (gcry_sexp_t *retsexp, size_t
*erroff,
case '\n':
/* ignore LF[,CR] */
- if (n && (p[1] == '\r'))
+ if ((n > 1) && (p[1] == '\r'))
{
p++;
n--;
--
2.3.6
More information about the Gcrypt-devel
mailing list