mod_sed: fix out-of-bounds read in ycomp on mismatched y/// strings#678
Open
OffByQuant wants to merge 1 commit into
Open
mod_sed: fix out-of-bounds read in ycomp on mismatched y/// strings#678OffByQuant wants to merge 1 commit into
OffByQuant wants to merge 1 commit into
Conversation
ycomp() compiles the sed "y/source/dest/" transliterate command by walking
the source and destination strings in lock-step. The first scan loop guards
*tsp against '\0'/'\n', but the second loop reads the destination via *tsp++
with no such guard: it stops only when the source pointer reaches the
delimiter. When the destination string is shorter than the source, tsp runs
past the destination's closing delimiter and the NUL terminator, reading
past the end of the LBSIZE+1 line buffer (commands->linebuf) into adjacent
memory until it happens to hit a matching byte.
The existing size-mismatch check (SEDERR_TSNTSS) already detects this case --
it fires as soon as a destination byte reads back as the delimiter or NUL --
but it only logs and continues, so the over-read proceeds. Make that check
abort compilation (return NULL, as every other error path in ycomp does),
which both fixes the over-read and rejects the malformed command, matching
the behaviour of standard sed ("strings for `y' command are different
lengths").
The sed program is supplied via the OutputSed/InputSed configuration
directives (ACCESS_CONF), so this is a robustness fix for malformed
configuration, not a remotely triggerable issue.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
ycomp()(modules/filters/sed0.c) compiles the sedy/source/dest/transliterate command by walking the source and destination strings in lock-step. The first scan loop guards*tspagainst'\0'/'\n', but the second loop reads the destination via*tsp++with no such guard — it stops only when the source pointer reaches the delimiter. When the destination string is shorter than the source,tspruns past the destination's closing delimiter and the NUL terminator, reading past the end of theLBSIZE + 1line buffer (commands->linebuf) into adjacent memory until it happens to hit a matching byte.The existing size-mismatch check (
SEDERR_TSNTSS) already detects this case — it fires as soon as a destination byte reads back as the delimiter or NUL — but it only logs viacommand_errf()(which does not abort) and continues, so the over-read proceeds. This change makes that checkreturn NULL, as every other error path inycompalready does (the caller handlesNULLby returning-1). That both fixes the over-read and rejects the malformed command, matching standard sed (strings for 'y' command are different lengths).Scope
The sed program is supplied via the
OutputSed/InputSedconfiguration directives (ACCESS_CONF), so this is a robustness fix for malformed configuration, not a remotely triggerable issue — the HTTP request is only the data the compiled program is applied to and never re-entersycomp.Testing
Built
sed0.c+sed1.c+regexp.cwith a small harness driving the real public API (sed_init_commands+sed_compile_string):ycommand with a 900-char source and 1-char destination read to offset 1802 of the 1001-byte line buffer (802 out-of-bounds reads, shown via instrumentation — plain ASan does not flag it because APR pools sub-allocatelinebuffrom a larger block).ycommands (shorter dest, longer dest, missing delimiter) are rejected cleanly with a singleSEDERR_TSNTSS.y/s/chained-command output is byte-identical to the pristine build across a differential battery.