On Fri, 08 Dec 2017 08:58:17 -0700, "Todd C. Miller" wrote:
> This adds some missing length checks and fixes the crash.
> It may just be hiding the source of the actual bug, however.
Updated diff that adds another missing length check.
- todd
Index: usr.bin/locate/locate/fastfind.c
===================================================================
RCS file: /cvs/src/usr.bin/locate/locate/fastfind.c,v
retrieving revision 1.13
diff -u -p -u -r1.13 fastfind.c
--- usr.bin/locate/locate/fastfind.c 23 Oct 2015 07:57:03 -0000 1.13
+++ usr.bin/locate/locate/fastfind.c 8 Dec 2017 16:16:37 -0000
@@ -173,6 +173,8 @@ fastfind_mmap
/* go forward or backward */
if (c == SWITCH) { /* big step, an integer */
+ if (len < INTSIZE)
+ break;
count += getwm(paddr) - OFFSET;
len -= INTSIZE; paddr += INTSIZE;
} else { /* slow step, =< 14 chars */
@@ -184,7 +186,7 @@ fastfind_mmap
p = path + count;
foundchar = p - 1;
- for (;;) {
+ for (; len > 0; ) {
c = (u_char)*paddr++;
len--;
/*
@@ -197,7 +199,7 @@ fastfind_mmap
*/
if (c < PARITY) {
if (c <= UMLAUT) {
- if (c == UMLAUT) {
+ if (c == UMLAUT && len > 0) {
c = (u_char)*paddr++;
len--;
