Avoid format-string vulnerabilities#35
Conversation
| picojson::parse(v, GapStreamToInputIterator(stream), endGapStreamIterator(), &err, &ungotc_check); | ||
| if (! err.empty()) { | ||
| ErrorQuit(err.c_str(), 0, 0); | ||
| ErrorQuit("%s", err.c_str(), 0, 0); |
There was a problem hiding this comment.
This is not valid syntax, ErrorQuit always takes three arguments. But this should work:
| ErrorQuit("%s", err.c_str(), 0, 0); | |
| ErrorQuit("%s", err.c_str(), 0); |
I assume that the potential vulnerability is that somehow an attacker migth find a vulnerability in picojson, which allows them to let it generate an error message contains a %g format character, which then might end up dereferencing 0 ? I've made a patch for that to GAP itself at gap-system/gap#6446. After that, I don't see how an attacker could exploit this at all.
There was a problem hiding this comment.
Thank you for helping me understand the particular syntax here. I have updated the PR.
yes, the potential vulnerability is that the parser is quoting some literal string from the input which includes a '%s' which then leads to reading the 2nd argument, being a null pointer.
9587011 to
868bf33
Compare
No description provided.