| Message ID | 20241101101345.Bluez.v2.1.Ia122d85386d6c2fc69f5b3d7ea7a7169f73756e4@changeid |
|---|---|
| State | New |
| Headers | show |
| Series | [Bluez,v2] textfile: Fix possible bad memory access in find_key | expand |
diff --git a/src/textfile.c b/src/textfile.c index 313098f38..8188d2ebe 100644 --- a/src/textfile.c +++ b/src/textfile.c @@ -127,10 +127,10 @@ static inline char *find_key(char *map, size_t size, const char *key, size_t len while (ptrlen > len + 1) { int cmp = (icase) ? strncasecmp(ptr, key, len) : strncmp(ptr, key, len); if (cmp == 0) { - if (ptr == map && *(ptr + len) == ' ') - return ptr; - - if ((*(ptr - 1) == '\r' || *(ptr - 1) == '\n') && + if (ptr == map) { + if (*(ptr + len) == ' ') + return ptr; + } else if ((*(ptr - 1) == '\r' || *(ptr - 1) == '\n') && *(ptr + len) == ' ') return ptr; }
From: Yun-Hao Chung <howardchung@google.com> If the searched key is a prefix of the first key in the textfile, the code will assume it's not the first line which is wrong. The issue can be reproduced by a fuzzer. Stack trace: #0 0x55e1c450e7ce in find_key /src/bluez/src/textfile.c:133:9 #1 0x55e1c450e7ce in write_key /src/bluez/src/textfile.c:244:8 #2 0x55e1c450dc33 in LLVMFuzzerTestOneInput /src/fuzz_textfile.c:61:3 (...trace in fuzzer) --- This is reproduced by https://issues.oss-fuzz.com/issues/42515619 Changes in v2: - Add stack trace in commit message src/textfile.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-)