ListFileLexer: fix heap-buffer-overflow on malicious input (!1153) · Merge requests · CMake / CMake

Matthias Männich requested to merge metti/cmake:master into master Aug 17, 2017

In case a list file contains a null terminated string that is continued until a later space, the lexer token information got inconsistent:

e.g. an argument "TEST\0FOOBAR" is passed by the lexer as a token

char* = "TEST\0FOOBAR" and length 11
             ^^ note: ascii 0x00

Using strdup in cmListFileLexer leads lexer->token.text to be allocated with size 5 and lexer->token.length to be set to 11

A subsequent call to this function with an argument of 5 < length <= 11 wrongly assumed a sufficiently sized buffer and therefore corrupted the heap buffer. The program might crash due to this corruption. The case "NullTerminatedArgument" is intentionally using a quite large 'rest' to increase the chance to actually hit the issue. It will reliably crash with address sanitizer enabled though.

Considering that the case is artificial, the fix assumes that the rest of the already terminated string can be ignored.

Signed-off-by: Matthias Maennich matthias@maennich.net

Topic-rename: lexer-null

Edited Aug 21, 2017 by Brad King

Admin message

ListFileLexer: fix heap-buffer-overflow on malicious input

Merge request reports