[newlib-cygwin] Cygwin: fix buffer overrun in cygwin

public inbox for cygwin-cvs@sourceware.org
help / color / mirror / Atom feed

* [newlib-cygwin] Cygwin: fix buffer overrun in cygwin_strcasecmp
@ 2020-07-06 11:18 Corinna Vinschen
  0 siblings, 0 replies; only message in thread
From: Corinna Vinschen @ 2020-07-06 11:18 UTC (permalink / raw)
  To: cygwin-cvs

https://sourceware.org/git/gitweb.cgi?p=newlib-cygwin.git;h=bb96bd03b0b9be5ed63127771687ac4877092ef8

commit bb96bd03b0b9be5ed63127771687ac4877092ef8
Author: Corinna Vinschen <corinna@vinschen.de>
Date:   Mon Jul 6 13:17:53 2020 +0200

    Cygwin: fix buffer overrun in cygwin_strcasecmp
    
    sys_mbstowcs is called with the destination buffer length
    set to MaximumLength from the receiving UNICODE_STRING buffer.
    This is twice as much as the actual size of the buffer in
    wchar_t units, which is the unit expected by sys_mbstowcs.
    
    sys_mbstowcs always attaches a NUL, within the destination
    buffersize given.  But if the string is exactly one wchar_t
    less than the actual buffer, and the buffersize is given too
    large, sys_mbstowcs writes a NUL one wchar_t beyond the buffer.
    
    This has only been exposed with Cygwin 3.1.5 because alloca
    on newer gcc 9 apparently allocates more tightly.  The alloca
    buffer here is requested with 16 bytes, which is exactly the
    number of bytes required for the string L"cmd.exe".  Older gcc
    apparently allocated a few more bytes on the stack, while gcc 9
    allocates in 16 byte granularity...
    
    Fix this by giving the correct destination buffer size to
    sys_mbstowcs.
    
    Fixes: https://cygwin.com/pipermail/cygwin/2020-June/245226.html
    Signed-off-by: Corinna Vinschen <corinna@vinschen.de>

Diff:
---
 winsup/cygwin/release/3.1.6 |  3 +++
 winsup/cygwin/strfuncs.cc   | 34 ++++++++++++++++++++--------------
 2 files changed, 23 insertions(+), 14 deletions(-)

diff --git a/winsup/cygwin/release/3.1.6 b/winsup/cygwin/release/3.1.6
index d64ee4c92..e06c0bc9a 100644
--- a/winsup/cygwin/release/3.1.6
+++ b/winsup/cygwin/release/3.1.6
@@ -9,3 +9,6 @@ Bug Fixes:
 ----------
 
 - Fix IPPROTO_TCP option handling, especially in terms of TCP_MAXSEG.
+
+- Fix a buffer overrun in Cygwin-internal string comparison.
+  Fixes: https://cygwin.com/pipermail/cygwin/2020-June/245226.html
diff --git a/winsup/cygwin/strfuncs.cc b/winsup/cygwin/strfuncs.cc
index e0a4c7182..604d7611c 100644
--- a/winsup/cygwin/strfuncs.cc
+++ b/winsup/cygwin/strfuncs.cc
@@ -635,7 +635,7 @@ sys_cp_mbstowcs (mbtowc_p f_mbtowc, wchar_t *dst, size_t dlen,
 	  /* The technique is based on a discussion here:
 	     http://www.mail-archive.com/linux-utf8@nl.linux.org/msg00080.html
 
-	     Invalid bytes in a multibyte secuence are converted to
+	     Invalid bytes in a multibyte sequence are converted to
 	     the private use area which is already used to store ASCII
 	     chars invalid in Windows filenames.  This technque allows
 	     to store them in a symmetric way. */
@@ -801,14 +801,18 @@ extern "C" int __stdcall
 cygwin_strcasecmp (const char *cs, const char *ct)
 {
   UNICODE_STRING us, ut;
-  ULONG len;
-
-  len = (strlen (cs) + 1) * sizeof (WCHAR);
-  RtlInitEmptyUnicodeString (&us, (PWCHAR) alloca (len), len);
-  us.Length = sys_mbstowcs (us.Buffer, us.MaximumLength, cs) * sizeof (WCHAR);
-  len = (strlen (ct) + 1) * sizeof (WCHAR);
-  RtlInitEmptyUnicodeString (&ut, (PWCHAR) alloca (len), len);
-  ut.Length = sys_mbstowcs (ut.Buffer, ut.MaximumLength, ct) * sizeof (WCHAR);
+  ULONG len, ulen;
+
+  len = strlen (cs) + 1;
+  ulen = len * sizeof (WCHAR);
+  RtlInitEmptyUnicodeString (&us, (PWCHAR) alloca (ulen), ulen);
+  us.Length = sys_mbstowcs (us.Buffer, len, cs) * sizeof (WCHAR);
+
+  len = strlen (ct) + 1;
+  ulen = len * sizeof (WCHAR);
+  RtlInitEmptyUnicodeString (&ut, (PWCHAR) alloca (ulen), ulen);
+  ut.Length = sys_mbstowcs (ut.Buffer, len, ct) * sizeof (WCHAR);
+
   return RtlCompareUnicodeString (&us, &ut, TRUE);
 }
 
@@ -816,19 +820,21 @@ extern "C" int __stdcall
 cygwin_strncasecmp (const char *cs, const char *ct, size_t n)
 {
   UNICODE_STRING us, ut;
-  ULONG len;
+  ULONG ulen;
   size_t ls = 0, lt = 0;
 
   while (cs[ls] && ls < n)
     ++ls;
-  len = (ls + 1) * sizeof (WCHAR);
-  RtlInitEmptyUnicodeString (&us, (PWCHAR) alloca (len), len);
+  ulen = (ls + 1) * sizeof (WCHAR);
+  RtlInitEmptyUnicodeString (&us, (PWCHAR) alloca (ulen), ulen);
   us.Length = sys_mbstowcs (us.Buffer, ls + 1, cs, ls) * sizeof (WCHAR);
+
   while (ct[lt] && lt < n)
     ++lt;
-  len = (lt + 1) * sizeof (WCHAR);
-  RtlInitEmptyUnicodeString (&ut, (PWCHAR) alloca (len), len);
+  ulen = (lt + 1) * sizeof (WCHAR);
+  RtlInitEmptyUnicodeString (&ut, (PWCHAR) alloca (ulen), ulen);
   ut.Length = sys_mbstowcs (ut.Buffer, lt + 1, ct, lt)  * sizeof (WCHAR);
+
   return RtlCompareUnicodeString (&us, &ut, TRUE);
 }


^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2020-07-06 11:18 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-06 11:18 [newlib-cygwin] Cygwin: fix buffer overrun in cygwin_strcasecmp Corinna Vinschen

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).