From fd6ddb7120506b508870dc37402f47ffbcb5fb2f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Janiszewski?= Date: Fri, 7 Aug 2015 00:38:35 +0200 Subject: [PATCH] Prevent accessing memory we don't own In case where strlen(propertyName) < strlen(name) we are accessing memory from stack mapping possibly outside our ownership. Prevent such behaviour by clamping the check to valid range only. --- src/config.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/config.c b/src/config.c index 6ad85f1ee4..0d98282e60 100644 --- a/src/config.c +++ b/src/config.c @@ -522,7 +522,8 @@ config_section_definition *config_get_section_def(const utf8 *name, int size) for (i = 0; i < countof(_sectionDefinitions); i++) { const_utf8string sectionName = _sectionDefinitions[i].section_name; - if (sectionName[size] == 0 && _strnicmp(sectionName, name, size) == 0) + const int sectionNameSize = strnlen(sectionName, size); + if (sectionNameSize == size && sectionName[size] == 0 && _strnicmp(sectionName, name, size) == 0) return &_sectionDefinitions[i]; } @@ -535,8 +536,11 @@ config_property_definition *config_get_property_def(config_section_definition *s for (i = 0; i < section->property_definitions_count; i++) { const_utf8string propertyName = section->property_definitions[i].property_name; - if (propertyName[size] == 0 && _strnicmp(propertyName, name, size) == 0) + const int propertyNameSize = strnlen(propertyName, size); + if (propertyNameSize == size && propertyName[size] == 0 && _strnicmp(propertyName, name, size) == 0) + { return §ion->property_definitions[i]; + } } return NULL;