Skip to content

Avoid format-string vulnerabilities#35

Open
dirkmueller wants to merge 1 commit into
gap-packages:masterfrom
dirkmueller:format_string
Open

Avoid format-string vulnerabilities#35
dirkmueller wants to merge 1 commit into
gap-packages:masterfrom
dirkmueller:format_string

Conversation

@dirkmueller

Copy link
Copy Markdown

No description provided.

Comment thread src/json.cc Outdated
picojson::parse(v, GapStreamToInputIterator(stream), endGapStreamIterator(), &err, &ungotc_check);
if (! err.empty()) {
ErrorQuit(err.c_str(), 0, 0);
ErrorQuit("%s", err.c_str(), 0, 0);

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not valid syntax, ErrorQuit always takes three arguments. But this should work:

Suggested change
ErrorQuit("%s", err.c_str(), 0, 0);
ErrorQuit("%s", err.c_str(), 0);

I assume that the potential vulnerability is that somehow an attacker migth find a vulnerability in picojson, which allows them to let it generate an error message contains a %g format character, which then might end up dereferencing 0 ? I've made a patch for that to GAP itself at gap-system/gap#6446. After that, I don't see how an attacker could exploit this at all.

CC @ChrisJefferson

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for helping me understand the particular syntax here. I have updated the PR.

yes, the potential vulnerability is that the parser is quoting some literal string from the input which includes a '%s' which then leads to reading the 2nd argument, being a null pointer.

Comment thread src/json.cc Outdated
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants