This replaces the vulnerable function with a version that aborts the copy if the destination buffer is full.
Adding destination length checks within process_fmt()/fmt_cell_combine() isn't enough, because the vulnerable function can apply a form of run-length decoding based on the values in the source buffer (using memdup()). This can cause the destination buffer to expand beyond the size of the source buffer. The proof-of-concept exploit does this to overflow a 1024-byte buffer with a 38-byte file.
Replacing a function without a symbol was a bit tricky (and I'm not sure if this is the best way to handle it) but it seems to work and all of the tests pass. I won't be offended if you decide to go with an entirely different approach!
Fixes #103
This replaces the vulnerable function with a version that aborts the copy if the destination buffer is full.
Adding destination length checks within
process_fmt()/fmt_cell_combine()isn't enough, because the vulnerable function can apply a form of run-length decoding based on the values in the source buffer (usingmemdup()). This can cause the destination buffer to expand beyond the size of the source buffer. The proof-of-concept exploit does this to overflow a 1024-byte buffer with a 38-byte file.Replacing a function without a symbol was a bit tricky (and I'm not sure if this is the best way to handle it) but it seems to work and all of the tests pass. I won't be offended if you decide to go with an entirely different approach!