patch 9.0.1847: [security] potential oob write in do_addsub() Problem: potential oob write in do_addsub() Solution: don't overflow buf2, check size in for loop() Signed-off-by: Christian Brabandt <cb@256bit.org>

commit: 889f6af37164775192e33b233a90e86fd3df0f57 [log] [tgz]
author: Christian Brabandt <cb@256bit.org> Sat Sep 02 19:43:33 2023 +0200
committer: Christian Brabandt <cb@256bit.org> Sat Sep 02 19:43:33 2023 +0200
tree: 5a869fb3afc232c67bd29821b31b0987f5e86e86
parent: 4c6fe2e2ea62469642ed1d80b16d39e616b25cf5 [diff] [blame]
diff --git a/src/ops.c b/src/ops.c
index d46a049..f4524d3 100644
--- a/src/ops.c
+++ b/src/ops.c

@@ -2919,7 +2919,7 @@
 	    for (bit = bits; bit > 0; bit--)
 		if ((n >> (bit - 1)) & 0x1) break;
 
-	    for (i = 0; bit > 0; bit--)
+	    for (i = 0; bit > 0 && i < (NUMBUFLEN - 1); bit--)
 		buf2[i++] = ((n >> (bit - 1)) & 0x1) ? '1' : '0';
 
 	    buf2[i] = '\0';
commit	889f6af37164775192e33b233a90e86fd3df0f57	[log] [tgz]
author	Christian Brabandt <cb@256bit.org>	Sat Sep 02 19:43:33 2023 +0200
committer	Christian Brabandt <cb@256bit.org>	Sat Sep 02 19:43:33 2023 +0200
tree	5a869fb3afc232c67bd29821b31b0987f5e86e86
parent	4c6fe2e2ea62469642ed1d80b16d39e616b25cf5 [diff] [blame]