From 957aefdc8f5523a1d45775f5ce3de74c03f5ed98 Mon Sep 17 00:00:00 2001 From: Shishir Jaiswal Date: Fri, 17 Jun 2016 10:11:33 +0530 Subject: [PATCH] Bug#23498283 - BUFFER OVERFLOW DESCRIPTION =========== Buffer overflow is reported in Regex library. This can be triggered when the data corresponding to argv[1] is >= 512 bytes resutling in abnormal behaviour. ANALYSIS ======== Its a straight forward case of SEGFAULT where the target buffer is smaller than the source string to be copied. A simple pre-copy validation should do. FIX === A check is added before doing strcpy() to ensure that the target buffer is big enough to hold the to-be copied data. If the check fails, the program aborts. --- regex/split.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/regex/split.c b/regex/split.c index a3a11f793ed..abae74eba9c 100644 --- a/regex/split.c +++ b/regex/split.c @@ -159,6 +159,10 @@ char *argv[]; if (argc > 4) for (n = atoi(argv[3]); n > 0; n--) { + if(sizeof(buf)-1 < strlen(argv[1])) + { + exit(EXIT_FAILURE); + } (void) strcpy(buf, argv[1]); } else if (argc > 3)