search

9fans / plan9port

Plan 9 from User Space
https://9fans.github.io/plan9port/
Other
1.62k stars 320 forks source link

troff assumes short paths #549

Open Humm42 opened 2 years ago

Humm42 commented 2 years ago

Troff uses fixed-size buffers (eg., src/cmd/troff/n1.c:229) for various strings (eg., src/cmd/troff/n1.c:249), causing buffer overflows with input data too long. In particular, DWBhomedir can exceed 100 bytes.

Such buffers should be (re)allocated dynamically.

nmeum commented 2 years ago

To provide some additional information. The problem is the following code:

https://github.com/9fans/plan9port/blob/74374cc8a40c450423785015c2e30d5a2ed2920c/src/cmd/troff/n1.c#L247-L249

DWBhomedir may exceed the 100 bytes buffer on its own and there is no bounds check. For example, on our Alpine Linux builders DWBhomedir is: /builds/alpine/aports/community/plan9port/src/plan9port-d0d440860f2000a1560abb3f593cdc325fcead4c/. On our builders, this causes a segfault as the buffer overflow is detected by -D_FORTIFY_SOURCE=2 (which we enable by default).