From: Kevin Backhouse <securitylab@github.com>
Date: Fri, 12 Mar 2021 17:00:56 +0000 (+0100)
Subject: ask-password-api: fix error handling on invalid unicode character
X-Git-Tag: v247.4^0
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=069525e84a67375e27429cb490e8d28af78e673a;p=thirdparty%2Fsystemd.git

ask-password-api: fix error handling on invalid unicode character

The integer overflow happens when utf8_encoded_valid_unichar() returns an error
code. The error code is a negative number: -22. This overflows when it is
assigned to `z` (type `size_t`). This can cause an infinite loop if the value
of `q` is 22 or larger.

To reproduce the bug, you need to run `systemd-ask-password` and enter an
invalid unicode character, followed by a backspace character.

GHSL-2021-052

(cherry picked from commit 37ca78a35cd1b9f13e584ccf3d332413c7875e40)
---

diff --git a/src/shared/ask-password-api.c b/src/shared/ask-password-api.c
index 8d66f9ffa70..6fe7a02a76d 100644
--- a/src/shared/ask-password-api.c
+++ b/src/shared/ask-password-api.c
@@ -614,10 +614,10 @@ int ask_password_tty(
                                  * last one begins */
                                 q = 0;
                                 for (;;) {
-                                        size_t z;
+                                        int z;
 
                                         z = utf8_encoded_valid_unichar(passphrase + q, (size_t) -1);
-                                        if (z == 0) {
+                                        if (z <= 0) {
                                                 q = (size_t) -1; /* Invalid UTF8! */
                                                 break;
                                         }