Hi all, I just noticed ticket #1375 is caused by an incorrect check in C_i_length which causes a segfault when passed an improper list. That means this could be a denial of service if (length) is used on user input. The attached patch applies both to master and chicken-5.
Cheers, Peter
From 76bbb0c92c0a9e2cadac9796e55fdd2836424fdb Mon Sep 17 00:00:00 2001
From: Peter Bex <pe...@more-magic.net>
Date: Sun, 28 May 2017 12:37:44 +0200
Subject: [PATCH] Fix segmentation fault in "length" on improper lists.
This fixes #1375
---
NEWS | 2 ++
runtime.c | 2 +-
tests/library-tests.scm | 6 ++++++
3 files changed, 9 insertions(+), 1 deletion(-)
diff --git a/NEWS b/NEWS
index 7e395ac..fc05da8 100644
--- a/NEWS
+++ b/NEWS
@@ -4,6 +4,8 @@
- CVE-2017-6949: Remove unchecked malloc() call in SRFI-4 constructors
when allocating in non-GC memory, resulting in potential 1-word
buffer overrun and/or segfault (thanks to Lemonboy).
+ - "length" no longer crashes on improper lists
+ (fixes #1375, thanks to "megane").
- Core Libraries
- Unit "posix": If file-lock, file-lock/blocking or file-unlock are
diff --git a/runtime.c b/runtime.c
index 86db413..7a513c2 100644
--- a/runtime.c
+++ b/runtime.c
@@ -5379,7 +5379,7 @@ C_regparm C_word C_fcall C_i_length(C_word lst)
}
}
- if(C_immediatep(slow) || C_block_header(lst) != C_PAIR_TAG)
+ if(C_immediatep(slow) || C_block_header(slow) != C_PAIR_TAG)
barf(C_NOT_A_PROPER_LIST_ERROR, "length", lst);
slow = C_u_i_cdr(slow);
diff --git a/tests/library-tests.scm b/tests/library-tests.scm
index cd2f6e9..9c7cab4 100644
--- a/tests/library-tests.scm
+++ b/tests/library-tests.scm
@@ -693,3 +693,9 @@ A
(assert (not (member "foo" '("bar"))))
(assert (not (member "foo" '())))
(assert-fail (member "foo" "foo"))
+
+
+;; length
+
+(assert-fail (length 1))
+(assert-fail (length '(x . y)))
--
2.1.4
signature.asc
Description: Digital signature
_______________________________________________ Chicken-hackers mailing list Chicken-hackers@nongnu.org https://lists.nongnu.org/mailman/listinfo/chicken-hackers
