summary refs log tree commit diff
path: root/gnu/packages/patches/chicken-CVE-2017-6949.patch
blob: 00552eec76e01503ec304e517ef94f7ccb177608 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
From: LemonBoy <thatlemon@gmail.com>
Date: Fri, 10 Mar 2017 16:29:47 +0100
Subject: [PATCH] Add bound checking to all srfi-4 vector allocations.

Do what C_allocate_vector already does and prevent the creation of a
vector that's too big or too small.
We should be very careful to avoid the latter case because the
allocation size is directly fed into `malloc' as 'x + sizeof(C_header)'
thus making possible to successfully allocate a vector smaller than the
C_header structure and get C_block_header_init to write over
uninitialized memory.

To reduce code duplication, type checking is moved from each of the
make-*vector procedures to the common "alloc" helper procedure.

Signed-off-by: Peter Bex <peter@more-magic.net>
Signed-off-by: Kooda <kooda@upyum.com>
---
 srfi-4.scm | 34 +++++++++++++++-------------------
 1 file changed, 15 insertions(+), 19 deletions(-)

diff --git a/srfi-4.scm b/srfi-4.scm
index 7f5412b..69f58ba 100644
--- a/srfi-4.scm
+++ b/srfi-4.scm
@@ -255,24 +255,28 @@ EOF
 
 ;;; Basic constructors:
 
-(let* ([ext-alloc
-	(foreign-lambda* scheme-object ([int bytes])
-	  "C_word *buf = (C_word *)C_malloc(bytes + sizeof(C_header));"
+(let* ((ext-alloc
+	(foreign-lambda* scheme-object ((size_t bytes))
+	  "C_word *buf;"
+	  "if (bytes > C_HEADER_SIZE_MASK) C_return(C_SCHEME_FALSE);"
+	  "buf = (C_word *)C_malloc(bytes + sizeof(C_header));"
 	  "if(buf == NULL) C_return(C_SCHEME_FALSE);"
 	  "C_block_header_init(buf, C_make_header(C_BYTEVECTOR_TYPE, bytes));"
-	  "C_return(buf);") ]
-       [ext-free
-	(foreign-lambda* void ([scheme-object bv])
-	  "C_free((void *)C_block_item(bv, 1));") ]
-       [alloc
+	  "C_return(buf);") )
+       (ext-free
+	(foreign-lambda* void ((scheme-object bv))
+	  "C_free((void *)C_block_item(bv, 1));") )
+       (alloc
 	(lambda (loc len ext?)
+	  (##sys#check-exact len loc)
+	  (when (fx< len 0) (##sys#error loc "size is negative" len))
 	  (if ext?
-	      (let ([bv (ext-alloc len)])
+	      (let ((bv (ext-alloc len)))
 		(or bv
 		    (##sys#error loc "not enough memory - cannot allocate external number vector" len)) )
-	      (let ([bv (##sys#allocate-vector len #t #f #t)]) ; this could be made better...
+	      (let ((bv (##sys#allocate-vector len #t #f #t))) ; this could be made better...
 		(##core#inline "C_string_to_bytevector" bv)
-		bv) ) ) ] )
+		bv) ) ) ) )
 
   (set! release-number-vector
     (lambda (v)
@@ -282,7 +286,6 @@ EOF
 
   (set! make-u8vector
     (lambda (len #!optional (init #f)  (ext? #f) (fin? #t))
-      (##sys#check-exact len 'make-u8vector)
       (let ((v (##sys#make-structure 'u8vector (alloc 'make-u8vector len ext?))))
 	(when (and ext? fin?) (set-finalizer! v ext-free))
 	(if (not init)
@@ -295,7 +298,6 @@ EOF
 
   (set! make-s8vector
     (lambda (len #!optional (init #f)  (ext? #f) (fin? #t))
-      (##sys#check-exact len 'make-s8vector)
       (let ((v (##sys#make-structure 's8vector (alloc 'make-s8vector len ext?))))
 	(when (and ext? fin?) (set-finalizer! v ext-free))
 	(if (not init)
@@ -308,7 +310,6 @@ EOF
 
   (set! make-u16vector
     (lambda (len #!optional (init #f)  (ext? #f) (fin? #t))
-      (##sys#check-exact len 'make-u16vector)
       (let ((v (##sys#make-structure 'u16vector (alloc 'make-u16vector (##core#inline "C_fixnum_shift_left" len 1) ext?))))
 	(when (and ext? fin?) (set-finalizer! v ext-free))
 	(if (not init)
@@ -321,7 +322,6 @@ EOF
 
   (set! make-s16vector
     (lambda (len #!optional (init #f)  (ext? #f) (fin? #t))
-      (##sys#check-exact len 'make-s16vector)
       (let ((v (##sys#make-structure 's16vector (alloc 'make-s16vector (##core#inline "C_fixnum_shift_left" len 1) ext?))))
 	(when (and ext? fin?) (set-finalizer! v ext-free))
 	(if (not init)
@@ -334,7 +334,6 @@ EOF
 
   (set! make-u32vector
     (lambda (len #!optional (init #f)  (ext? #f) (fin? #t))
-      (##sys#check-exact len 'make-u32vector)
       (let ((v (##sys#make-structure 'u32vector (alloc 'make-u32vector (##core#inline "C_fixnum_shift_left" len 2) ext?))))
 	(when (and ext? fin?) (set-finalizer! v ext-free))
 	(if (not init)
@@ -347,7 +346,6 @@ EOF
 
   (set! make-s32vector
     (lambda (len #!optional (init #f)  (ext? #f) (fin? #t))
-      (##sys#check-exact len 'make-s32vector)
       (let ((v (##sys#make-structure 's32vector (alloc 'make-s32vector (##core#inline "C_fixnum_shift_left" len 2) ext?))))
 	(when (and ext? fin?) (set-finalizer! v ext-free))
 	(if (not init)
@@ -360,7 +358,6 @@ EOF
 
   (set! make-f32vector
     (lambda (len #!optional (init #f)  (ext? #f) (fin? #t))
-      (##sys#check-exact len 'make-f32vector)
       (let ((v (##sys#make-structure 'f32vector (alloc 'make-f32vector (##core#inline "C_fixnum_shift_left" len 2) ext?))))
 	(when (and ext? fin?) (set-finalizer! v ext-free))
 	(if (not init)
@@ -375,7 +372,6 @@ EOF
 
   (set! make-f64vector
     (lambda (len #!optional (init #f)  (ext? #f) (fin? #t))
-      (##sys#check-exact len 'make-f64vector)
       (let ((v (##sys#make-structure
 		'f64vector
 		(alloc 'make-f64vector (##core#inline "C_fixnum_shift_left" len 3) ext?))))
--
2.1.4