blob: bc157d6afbfa2c3eff71d64da66ea592f54e00e8 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
From e709eb829448ce040087a3fc5481db6bfcaae212 Mon Sep 17 00:00:00 2001
From: "Arnold D. Robbins" <arnold@skeeve.com>
Date: Wed, 3 Aug 2022 13:00:54 +0300
Subject: [PATCH] Smal bug fix in builtin.c.
Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/gawk/tree/debian/patches/CVE-2023-4156.patch?h=ubuntu/jammy-security
Upstream commit https://git.savannah.gnu.org/gitweb/?p=gawk.git;a=commitdiff;h=e709eb829448ce040087a3fc5481db6bfcaae212]
CVE: CVE-2023-4156
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
ChangeLog | 6 ++++++
builtin.c | 5 ++++-
2 files changed, 10 insertions(+), 1 deletion(-)
--- gawk-5.1.0.orig/builtin.c
+++ gawk-5.1.0/builtin.c
@@ -957,7 +957,10 @@ check_pos:
s1++;
n0--;
}
- if (val >= num_args) {
+ // val could be less than zero if someone provides a field width
+ // so large that it causes integer overflow. Mainly fuzzers do this,
+ // but let's try to be good anyway.
+ if (val < 0 || val >= num_args) {
toofew = true;
break;
}
|