diff options
| author | Kevin Backhouse <securitylab@github.com> | 2021-03-12 18:00:56 +0100 |
|---|---|---|
| committer | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2021-03-12 18:27:47 +0100 |
| commit | 069525e84a67375e27429cb490e8d28af78e673a (patch) | |
| tree | b0d83b792ba04f00d2ecf4b9d428f1936b43c624 | |
| parent | 78a43c33c8847ebbc2d3cf530ebe304924c58b32 (diff) | |
| download | systemd-247.4.tar.gz | |
ask-password-api: fix error handling on invalid unicode characterv247.4
The integer overflow happens when utf8_encoded_valid_unichar() returns an error
code. The error code is a negative number: -22. This overflows when it is
assigned to `z` (type `size_t`). This can cause an infinite loop if the value
of `q` is 22 or larger.
To reproduce the bug, you need to run `systemd-ask-password` and enter an
invalid unicode character, followed by a backspace character.
GHSL-2021-052
(cherry picked from commit 37ca78a35cd1b9f13e584ccf3d332413c7875e40)
| -rw-r--r-- | src/shared/ask-password-api.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/src/shared/ask-password-api.c b/src/shared/ask-password-api.c index 8d66f9ffa7..6fe7a02a76 100644 --- a/src/shared/ask-password-api.c +++ b/src/shared/ask-password-api.c @@ -614,10 +614,10 @@ int ask_password_tty( * last one begins */ q = 0; for (;;) { - size_t z; + int z; z = utf8_encoded_valid_unichar(passphrase + q, (size_t) -1); - if (z == 0) { + if (z <= 0) { q = (size_t) -1; /* Invalid UTF8! */ break; } |