diff options
| author | Michael Budde <mbudde@gmail.com> | 2019-01-26 09:30:35 +0100 |
|---|---|---|
| committer | Martin Michlmayr <tbm@cyrius.com> | 2019-01-26 09:45:11 -0300 |
| commit | 7c0ae5b02571e21f97d45f5d091cb78af9885713 (patch) | |
| tree | 443385ee9074cdbd85926b515e598c1c0813ba30 | |
| parent | ba40cd0d0ce825c9be108611d0b59c42f434b6ac (diff) | |
| download | fork-ledger-7c0ae5b02571e21f97d45f5d091cb78af9885713.tar.gz fork-ledger-7c0ae5b02571e21f97d45f5d091cb78af9885713.tar.bz2 fork-ledger-7c0ae5b02571e21f97d45f5d091cb78af9885713.zip | |
Fix possible stack overflow in date parsing routine
It is possible to create a stack overflow by giving a date that is
longer than the buffer that is used during date parsing because the
length of the input string is not checked. The `VERIFY` macro is only
enabled when debug-mode is enabled and the `--verify-memory` argument is
used.
Prevent the issue by always checking the input string length and
discarding dates that does not fit in the buffer as invalid.
This issue has been assigned CVE-2017-12482.
Fixes #1224
| -rw-r--r-- | doc/NEWS | 3 | ||||
| -rw-r--r-- | src/times.cc | 4 | ||||
| -rw-r--r-- | test/regress/1224.test | 9 |
3 files changed, 15 insertions, 1 deletions
@@ -48,6 +48,9 @@ - Fix use-after-free issue with deferred postings (bug #1723, TALOS-2017-0304, CVE-2017-2808) +- Fix possible stack overflow in date parsing routine (bug #1224, + CVE-2017-12482) + - Python: Removed double quotes from Unicode values. - Python: Ensure that parse errors produce useful RuntimeErrors diff --git a/src/times.cc b/src/times.cc index db0d74ff..74773755 100644 --- a/src/times.cc +++ b/src/times.cc @@ -127,7 +127,9 @@ namespace { date_t parse_date_mask_routine(const char * date_str, date_io_t& io, date_traits_t * traits = NULL) { - VERIFY(std::strlen(date_str) < 127); + if (std::strlen(date_str) > 127) { + throw_(date_error, _f("Invalid date: %1%") % date_str); + } char buf[128]; std::strcpy(buf, date_str); diff --git a/test/regress/1224.test b/test/regress/1224.test new file mode 100644 index 00000000..ecf87228 --- /dev/null +++ b/test/regress/1224.test @@ -0,0 +1,9 @@ +2000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 + +test reg -> 1 +__ERROR__ +While parsing file "$FILE", line 1: +While parsing transaction: +> 2000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 +Error: Invalid date: 2000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 +end test |