From feba48309a227fe40feb3a87cbe900015021ac73 Mon Sep 17 00:00:00 2001 From: Ben Pfaff Date: Sun, 27 Aug 2017 12:32:50 -0700 Subject: [PATCH] data-out: Pass correct width to value_str() in output_AHEX(). AHEX16 is short enough to work as a short string, but output_AHEX() was treating it as a long string, which caused string data to be dereferenced as a pointer. CVE-2017-12958. See also https://bugzilla.redhat.com/show_bug.cgi?id=1482429. See also http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12958. See also http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12958. Found by team OWL337, using the collAFL fuzzer. --- NEWS | 4 ++++ src/data/data-out.c | 2 +- tests/data/data-out.at | 19 +++++++++++++++++++ 3 files changed, 24 insertions(+), 1 deletion(-) diff --git a/NEWS b/NEWS index 1ce6229c76..358960403f 100644 --- a/NEWS +++ b/NEWS @@ -4,6 +4,10 @@ See the end for copying conditions. Please send PSPP bug reports to bug-gnu-pspp@gnu.org. +Changes since 1.0.0: + + * Bug fixes, including a fix for CVE-2017-12958. + Changes from 0.11.0 to 1.0.0: * Translation updates. diff --git a/src/data/data-out.c b/src/data/data-out.c index 94e555cc82..157335cbf4 100644 --- a/src/data/data-out.c +++ b/src/data/data-out.c @@ -615,7 +615,7 @@ static void output_AHEX (const union value *input, const struct fmt_spec *format, char *output) { - output_hex (value_str (input, format->w), format->w / 2, output); + output_hex (value_str (input, format->w / 2), format->w / 2, output); } /* Decimal and scientific formatting. */ diff --git a/tests/data/data-out.at b/tests/data/data-out.at index f84e144928..b6d3b88e46 100644 --- a/tests/data/data-out.at +++ b/tests/data/data-out.at @@ -15689,3 +15689,22 @@ AT_CHECK([cat wkday-out.out], [0], [dnl . ]) AT_CLEANUP + +dnl This checks for a regression where AHEX output would crash due to +dnl dereferencing string data as a pointer, for string widths between +dnl 5 and 8, inclusive. +AT_SETUP([AHEX output bug]) +AT_DATA([ahex.sps], [ +DATA LIST NOTABLE /s (a8). +BEGIN DATA. +abcdefgh +END DATA. +FORMATS s (AHEX16). +LIST. +]) +AT_CHECK([pspp -O format=csv ahex.sps], [0], [dnl +Table: Data List +s +6162636465666768 +]) +AT_CLEANUP -- 2.30.2