diff options
author | Kevin Backhouse <securitylab@github.com> | 2021-03-12 18:00:56 +0100 |
---|---|---|
committer | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2021-03-12 18:33:01 +0100 |
commit | 1f922f82d85f6b4a8bdca82598389c566c72e8f7 (patch) | |
tree | 8f4d3f6ca1dc832595df978589851e90c464fe6d | |
parent | c94ad6f6c3841d69a0eb3bf6ae524df60b9f70f2 (diff) | |
download | systemd-246.11.tar.gz |
ask-password-api: fix error handling on invalid unicode characterv246.11
The integer overflow happens when utf8_encoded_valid_unichar() returns an error
code. The error code is a negative number: -22. This overflows when it is
assigned to `z` (type `size_t`). This can cause an infinite loop if the value
of `q` is 22 or larger.
To reproduce the bug, you need to run `systemd-ask-password` and enter an
invalid unicode character, followed by a backspace character.
GHSL-2021-052
(cherry picked from commit 37ca78a35cd1b9f13e584ccf3d332413c7875e40)
(cherry picked from commit 069525e84a67375e27429cb490e8d28af78e673a)
-rw-r--r-- | src/shared/ask-password-api.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/src/shared/ask-password-api.c b/src/shared/ask-password-api.c index 7bf64e1cf8..0326361b6b 100644 --- a/src/shared/ask-password-api.c +++ b/src/shared/ask-password-api.c @@ -617,10 +617,10 @@ int ask_password_tty( * last one begins */ q = 0; for (;;) { - size_t z; + int z; z = utf8_encoded_valid_unichar(passphrase + q, (size_t) -1); - if (z == 0) { + if (z <= 0) { q = (size_t) -1; /* Invalid UTF8! */ break; } |