From: Karel Zak <kzak@redhat.com>
Date: Tue, 27 Feb 2024 17:38:02 +0000 (+0100)
Subject: hexdump: check blocksize when display data
X-Git-Tag: v2.42-start~510^2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=dfa1ad272528a92384adac523cf2f2949b767d8d;p=thirdparty%2Futil-linux.git

hexdump: check blocksize when display data

hexdump(1) stores input to buffer and apply format unit when prints
the output. The unit can move pointer which points to the buffer, but
code does not check for limits.

Fixes: https://github.com/util-linux/util-linux/issues/2806
Signed-off-by: Karel Zak <kzak@redhat.com>
---

diff --git a/text-utils/hexdump-display.c b/text-utils/hexdump-display.c
index bc92bd0ca..c865127c8 100644
--- a/text-utils/hexdump-display.c
+++ b/text-utils/hexdump-display.c
@@ -250,6 +250,8 @@ void display(struct hexdump *hex)
 	struct list_head *p, *q, *r;
 
 	while ((bp = get(hex)) != NULL) {
+		ssize_t rem = hex->blocksize;
+
 		fs = &hex->fshead; savebp = bp; saveaddress = address;
 
 		list_for_each(p, fs) {
@@ -263,7 +265,7 @@ void display(struct hexdump *hex)
 
 				cnt = fu->reps;
 
-				while (cnt) {
+				while (cnt && rem >= 0) {
 					list_for_each(r, &fu->prlist) {
 						pr = list_entry(r, struct hexdump_pr, prlist);
 
@@ -280,12 +282,18 @@ void display(struct hexdump *hex)
 							print(pr, bp);
 
 						address += pr->bcnt;
+
+						rem -= pr->bcnt;
+						if (rem < 0)
+							break;
+
 						bp += pr->bcnt;
 					}
 					--cnt;
 				}
 			}
 			bp = savebp;
+			rem = hex->blocksize;
 			address = saveaddress;
 		}
 	}