Fix heap buffer overflow

radareorg / sdb

Simple and fast string based key-value database with support for arrays and json

https://www.radare.org/

MIT License

218 stars 62 forks source link

Fix heap buffer overflow #227

Closed pelijah closed 3 years ago

pelijah commented 3 years ago

Detailed description

Reserve extra byte for terminating null to prevent heap buffer overflow (https://github.com/radareorg/sdb/blob/master/src/text.c#L229) in last call of load_flush_line() (https://github.com/radareorg/sdb/blob/master/src/text.c#L364)

Test plan

...

Closing issues

...

pelijah commented 3 years ago

@thestr4ng3r

thestr4ng3r commented 3 years ago

Same issue as in #226. While your change fixes the issue for loading files without mmap, it is still technically wrong with how the API of sdb_text_load_buf() is meant to be used (the buffer is allowed to be only of the given size) and will also fail when loading a file which has a size of exactly a multiple of the pagesize with mmap.

pelijah commented 3 years ago

Meh... I’m not even the first...

thestr4ng3r commented 3 years ago

Funny that we both found the bug within one hour after it has existed for 16 days.