1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
|
From b37677f7e40276bd8f504584bcba2c092f1146a8 Mon Sep 17 00:00:00 2001
From: "H. Peter Anvin" <hpa@zytor.com>
Date: Mon, 7 Nov 2022 10:26:03 -0800
Subject: [PATCH] quote_for_pmake: fix counter underrun resulting in segfault
while (nbs--) { ... } ends with nbs == -1. Rather than a minimal fix,
introduce mempset() to make these kinds of errors less likely in the
future.
Fixes: https://bugzilla.nasm.us/show_bug.cgi?id=3392815
Reported-by: <13579and24680@gmail.com>
Signed-off-by: H. Peter Anvin <hpa@zytor.com>
Upstream-Status: Backport
CVE: CVE-2022-4437
Reference to upstream patch:
[https://github.com/netwide-assembler/nasm/commit/2d4e6952417ec6f08b6f135d2b5d0e19b7dae30d]
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
---
asm/nasm.c | 12 +++++-------
configure.ac | 1 +
include/compiler.h | 7 +++++++
3 files changed, 13 insertions(+), 7 deletions(-)
diff --git a/asm/nasm.c b/asm/nasm.c
index 7a7f8b4..675cff4 100644
--- a/asm/nasm.c
+++ b/asm/nasm.c
@@ -1,6 +1,6 @@
/* ----------------------------------------------------------------------- *
*
- * Copyright 1996-2020 The NASM Authors - All Rights Reserved
+ * Copyright 1996-2022 The NASM Authors - All Rights Reserved
* See the file AUTHORS included with the NASM distribution for
* the specific copyright holders.
*
@@ -814,8 +814,7 @@ static char *quote_for_pmake(const char *str)
}
/* Convert N backslashes at the end of filename to 2N backslashes */
- if (nbs)
- n += nbs;
+ n += nbs;
os = q = nasm_malloc(n);
@@ -824,10 +823,10 @@ static char *quote_for_pmake(const char *str)
switch (*p) {
case ' ':
case '\t':
- while (nbs--)
- *q++ = '\\';
+ q = mempset(q, '\\', nbs);
*q++ = '\\';
*q++ = *p;
+ nbs = 0;
break;
case '$':
*q++ = *p;
@@ -849,9 +848,8 @@ static char *quote_for_pmake(const char *str)
break;
}
}
- while (nbs--)
- *q++ = '\\';
+ q = mempset(q, '\\', nbs);
*q = '\0';
return os;
diff --git a/configure.ac b/configure.ac
index 39680b1..940ebe2 100644
--- a/configure.ac
+++ b/configure.ac
@@ -199,6 +199,7 @@ AC_CHECK_FUNCS(strrchrnul)
AC_CHECK_FUNCS(iscntrl)
AC_CHECK_FUNCS(isascii)
AC_CHECK_FUNCS(mempcpy)
+AC_CHECK_FUNCS(mempset)
AC_CHECK_FUNCS(getuid)
AC_CHECK_FUNCS(getgid)
diff --git a/include/compiler.h b/include/compiler.h
index db3d6d6..b64da6a 100644
--- a/include/compiler.h
+++ b/include/compiler.h
@@ -256,6 +256,13 @@ static inline void *mempcpy(void *dst, const void *src, size_t n)
}
#endif
+#ifndef HAVE_MEMPSET
+static inline void *mempset(void *dst, int c, size_t n)
+{
+ return (char *)memset(dst, c, n) + n;
+}
+#endif
+
/*
* Hack to support external-linkage inline functions
*/
--
2.40.0
|
