AHEX16 is short enough to work as a short string, but output_AHEX() was
treating it as a long string, which caused string data to be dereferenced
as a pointer.
CVE-2017-12958.
See also https://bugzilla.redhat.com/show_bug.cgi?id=
1482429.
See also http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12958.
See also http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12958.
Found by team OWL337, using the collAFL fuzzer.
Please send PSPP bug reports to bug-gnu-pspp@gnu.org.
+Changes since 1.0.0:
+
+ * Bug fixes, including a fix for CVE-2017-12958.
+
Changes from 0.11.0 to 1.0.0:
* Translation updates.
output_AHEX (const union value *input, const struct fmt_spec *format,
char *output)
{
- output_hex (value_str (input, format->w), format->w / 2, output);
+ output_hex (value_str (input, format->w / 2), format->w / 2, output);
}
\f
/* Decimal and scientific formatting. */
.
])
AT_CLEANUP
+
+dnl This checks for a regression where AHEX output would crash due to
+dnl dereferencing string data as a pointer, for string widths between
+dnl 5 and 8, inclusive.
+AT_SETUP([AHEX output bug])
+AT_DATA([ahex.sps], [
+DATA LIST NOTABLE /s (a8).
+BEGIN DATA.
+abcdefgh
+END DATA.
+FORMATS s (AHEX16).
+LIST.
+])
+AT_CHECK([pspp -O format=csv ahex.sps], [0], [dnl
+Table: Data List
+s
+6162636465666768
+])
+AT_CLEANUP
projects / pspp / commitdiff