patch 9.0.1847: [security] potential oob write in do_addsub()

Problem: potential oob write in do_addsub() Solution: don't overflow buf2, check size in for loop() Signed-off-by: Christian Brabandt <cb@256bit.org>
2025-10-12 06:44:06 -04:00 · 2023-09-02 19:43:33 +02:00
parent 4c6fe2e2ea
commit 889f6af371
2 changed files with 3 additions and 1 deletions
--- a/src/ops.c
+++ b/src/ops.c
@@ -2919,7 +2919,7 @@ do_addsub(
 	    for (bit = bits; bit > 0; bit--)
 		if ((n >> (bit - 1)) & 0x1) break;

-	    for (i = 0; bit > 0; bit--)
+	    for (i = 0; bit > 0 && i < (NUMBUFLEN - 1); bit--)
 		buf2[i++] = ((n >> (bit - 1)) & 0x1) ? '1' : '0';

 	    buf2[i] = '\0';