mirrors/zint
2
0
Fork 0
mirror of https://github.com/zint/zint synced 2024-11-16 20:57:25 +13:00
Code Issues Actions Packages Projects Releases Wiki Activity

#181 OSS-Fuzz DOTCODE codeword_array buffer overrun fix

Browse Source
This commit is contained in:
gitlost 2020-03-31 13:02:53 +01:00
parent 22354a81f1
commit f5149990eb
2 changed files with 10 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
backend/dotcode.c
View File

@ -2,7 +2,7 @@
/* /*
libzint - the open source barcode library libzint - the open source barcode library
Copyright (C) 2017-2019 Robin Stuart <rstuart114@gmail.com> Copyright (C) 2017-2020 Robin Stuart <rstuart114@gmail.com>
Redistribution and use in source and binary forms, with or without Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions modification, are permitted provided that the following conditions
@ -38,7 +38,6 @@
#include <stdio.h> #include <stdio.h>
#include <string.h> #include <string.h>
#include <stdlib.h>
#include <math.h> #include <math.h>
#ifndef _MSC_VER #ifndef _MSC_VER
#include <stdint.h> #include <stdint.h>
@ -1297,16 +1296,17 @@ INTERNAL int dotcode(struct zint_symbol *symbol, const unsigned char source[], i
int binary_finish = 0; int binary_finish = 0;
int debug = symbol->debug; int debug = symbol->debug;
int padding_dots, is_first; int padding_dots, is_first;
int codeword_array_len = length * 4 + 8; /* Allow up to 4 codewords per input + 2 (FNC) + 4 (ECI) + 2 (special char 1st position) */
#ifdef _MSC_VER #ifdef _MSC_VER
unsigned char* masked_codeword_array; unsigned char* masked_codeword_array;
#endif #endif
#ifndef _MSC_VER #ifndef _MSC_VER
unsigned char codeword_array[length * 3]; unsigned char codeword_array[codeword_array_len];
#else #else
char* dot_stream; char* dot_stream;
char* dot_array; char* dot_array;
unsigned char* codeword_array = (unsigned char *) _alloca(length * 3 * sizeof (unsigned char)); unsigned char* codeword_array = (unsigned char *) _alloca(codeword_array_len);
#endif /* _MSC_VER */ #endif /* _MSC_VER */
if (symbol->eci > 811799) { if (symbol->eci > 811799) {

7
backend/tests/test_dotcode.c
View File

@ -45,7 +45,7 @@ static void test_fuzz(void)
}; };
// s/\/\*[ 0-9]*\*\//\=printf("\/*%3d*\/", line(".") - line("'<")) // s/\/\*[ 0-9]*\*\//\=printf("\/*%3d*\/", line(".") - line("'<"))
struct item data[] = { struct item data[] = {
/* 0*/ { "(\207'", -1, DATA_MODE, 0 }, // 0x28,0x87,0x27 Note: should but doesn't trigger sanitize error if no length check, for some reason; TODO: determine why /* 0*/ { "(\207'", -1, DATA_MODE, 0 }, // 0x28,0x87,0x27 Note: should but doesn't trigger sanitize error if no length check, for some reason; UPDATE: use up-to-date gcc (9)!
/* 1*/ { /* 1*/ {
"\133\061\106\133\061\106\070\161\116\133\116\116\067\040\116\016\000\116\125\111\125\125\316\125\125\116\116\116\116\117\116\125" "\133\061\106\133\061\106\070\161\116\133\116\116\067\040\116\016\000\116\125\111\125\125\316\125\125\116\116\116\116\117\116\125"
"\111\125\103\316\125\125\116\116\116\116\117\000\000\116\136\116\116\001\116\316\076\116\116\057\136\116\116\134\000\000\116\116" "\111\125\103\316\125\125\116\116\116\116\117\000\000\116\136\116\116\001\116\316\076\116\116\057\136\116\116\134\000\000\116\116"
@ -62,6 +62,11 @@ static void test_fuzz(void)
"\071\071\071\011\071\071\071\071\071\071\071\071\071\071\071\071\071\071\105\105\105\105\105\105\105\105\105\105\105\105\105\071" "\071\071\071\011\071\071\071\071\071\071\071\071\071\071\071\071\071\071\105\105\105\105\105\105\105\105\105\105\105\105\105\071"
"\071\071\071\071\071", // Original OSS-Fuzz triggering data for index out of bounds (encoding of HT/FS/GS/RS when shifting to code set B) "\071\071\071\071\071", // Original OSS-Fuzz triggering data for index out of bounds (encoding of HT/FS/GS/RS when shifting to code set B)
421, UNICODE_MODE, ZINT_WARN_USES_ECI }, 421, UNICODE_MODE, ZINT_WARN_USES_ECI },
/* 2*/ { "\233:", -1, UNICODE_MODE, ZINT_WARN_USES_ECI }, // Original OSS-Fuzz triggering data for codeword_array buffer overflow, L777
/* 3*/ { "\241\034", -1, UNICODE_MODE, ZINT_WARN_USES_ECI }, // As above L793
/* 4*/ { "\270\036", -1, UNICODE_MODE, ZINT_WARN_USES_ECI }, // As above L799
/* 5*/ { "\237\032", -1, UNICODE_MODE, ZINT_WARN_USES_ECI }, // As above L904
/* 6*/ { "\237", -1, UNICODE_MODE, ZINT_WARN_USES_ECI }, // As above L1090
}; };
int data_size = sizeof(data) / sizeof(struct item); int data_size = sizeof(data) / sizeof(struct item);