There's a stack overflow bug in subversion/libsubr/checksum.c.
The functions svn_checksum__from_digest_fnv1a_32x4() and
svn_checksum__from_digest_fnv1a_32() both look something like this:
svn_checksum_t *
svn_checksum__from_digest_fnv1a_32x4(const unsigned char *digest,
apr_pool_t *result_pool)
{
return checksum_create(svn_checksum_fnv1a_32x4, sizeof(digest), digest,
result_pool);
}
The problem is that checksum_create() expects the length of the string
pointed to by digest, but sizeof(digest) returns the number of bytes that a
variable of type 'const unsigned char *' requires. These methods are
currently only called with unint32_t cast to an unsigned char, but on
platforms which have 8-byte pointers, this leads to a buffer overflow in
checksum_create() when it tries to read more than the provided 4 bytes.
I *think* the correct fix is to add a digest_size argument
to svn_checksum__from_digest_fnv1a_32x4() and
svn_checksum__from_digest_fnv1a_32(), but I'm not sure if there's a better
way which somebody more familiar with this code would know about.
By all accounts, this code hasn't been released yet, so it's not a yet
security issue (hence the post to dev@ and not private@), but I thought
somebody would like to be aware of it. :)
-Hyrum
Received on 2015-01-27 05:09:35 CET