>Synopsis: In certain cases, mkhybrid(8) with -T crashes with
segmentation fault.
>Category: system
>Environment:
System : OpenBSD 7.0
Details : OpenBSD 7.0 (GENERIC.MP) #0: Fri Oct 15 05:21:14
+03 2021
[email protected]:/sys/arch/amd64/compi
le/GENERIC.MP
Architecture: OpenBSD.amd64
Machine : amd64
>Description:
This issue is due to an omission to allocate space for null
termination.
The code allocates tablesize space for the (char *) table field. Then,
on line 520 in tree.c, the table field is used to accumulate the lines
of the translation table. When the loop reaches the last line,
sprintf() segfaults when it cannot find space for the terminating null.
>How-To-Repeat:
It is not possible to replicate this issue easily, because the
tablesize is passed to the ROUND_UP() macro before being passed to
e_malloc() and memset(). Apparently, ROUND_UP() successfully hides this
null termination issue, while it is trying to adjust for the sector
size. You should be (un-)lucky enough to catch it (I've been using
mkhybrid for the past 15 years, and never had any problems).
>Fix:
I don't know if this issue is related with OpenBSD or gnu, but the
following simple patch fixes it.
--- /usr/src/gnu/usr.sbin/mkhybrid/src/tree.c.orig Mon Oct 18
02:47:25 2021
+++ /usr/src/gnu/usr.sbin/mkhybrid/src/tree.c Mon Oct 18 05:15:08
2021
@@ -409,8 +409,8 @@
table->filedir = this_dir;
table->de_flags |= INHIBIT_JOLIET_ENTRY;
table->name = strdup("<translation table>");
- table->table = (char *) e_malloc(ROUND_UP(tablesize));
- memset(table->table, 0, ROUND_UP(tablesize));
+ table->table = (char *) e_malloc(ROUND_UP(tablesize + 1));
+ memset(table->table, 0, ROUND_UP(tablesize + 1));
#ifdef APPLE_HYB
iso9660_file_length (trans_tbl, table, 0);
#else
