Out-of-bound memory access in be_byteslib

Question

Out-of-bound memory access in be_byteslib

Closed this issue a month ago · 2 comments

Due to a cast from size_t to int32 in buf_set and buf_get functions it is possible to supply a large number to access memory out-of-bounds from a bytes object.

Here is an example problematic function:

static void buf_set4_le(buf_impl* attr, size_t offset, uint32_t data)
{
    // Cast here is causeing the problem
    if ((int32_t)offset + 3 < attr->len) {
        attr->bufptr[offset] = data & 0xFF;
        attr->bufptr[offset+1] = (data >> 8) & 0xFF;
        attr->bufptr[offset+2] = (data >> 16) & 0xFF;
        attr->bufptr[offset+3] = data >> 24;
    }
}

Reproducing

Here is a berry code snippet that will cause a segmentation fault:

b=bytes()
b.set(32314545516,0,4) #This is being treated as a negative number bypassing the bounds check

Fixing

The issue can be rectified by checking that the provided offset is not negative.

Answer 1 · 2024-05-27T20:30:31.000Z

Nice finding. Maybe we should handle negative offset as starting from end, like in arrays. Thoughts?

Answer 2 · 2024-07-24T09:37:50.000Z

Fixed, awaiting approval before merging