From 95aacefe18fa1ccb1296c752d292279a2f84fb51 Mon Sep 17 00:00:00 2001 From: Karel Zak Date: Tue, 27 Feb 2024 18:38:02 +0100 Subject: [PATCH] hexdump: check blocksize when display data hexdump(1) stores input to buffer and apply format unit when prints the output. The unit can move pointer which points to the buffer, but code does not check for limits. Fixes: https://github.com/util-linux/util-linux/issues/2806 Signed-off-by: Karel Zak (cherry picked from commit dfa1ad272528a92384adac523cf2f2949b767d8d) --- text-utils/hexdump-display.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/text-utils/hexdump-display.c b/text-utils/hexdump-display.c index bc92bd0ca0..c865127c87 100644 --- a/text-utils/hexdump-display.c +++ b/text-utils/hexdump-display.c @@ -250,6 +250,8 @@ void display(struct hexdump *hex) struct list_head *p, *q, *r; while ((bp = get(hex)) != NULL) { + ssize_t rem = hex->blocksize; + fs = &hex->fshead; savebp = bp; saveaddress = address; list_for_each(p, fs) { @@ -263,7 +265,7 @@ void display(struct hexdump *hex) cnt = fu->reps; - while (cnt) { + while (cnt && rem >= 0) { list_for_each(r, &fu->prlist) { pr = list_entry(r, struct hexdump_pr, prlist); @@ -280,12 +282,18 @@ void display(struct hexdump *hex) print(pr, bp); address += pr->bcnt; + + rem -= pr->bcnt; + if (rem < 0) + break; + bp += pr->bcnt; } --cnt; } } bp = savebp; + rem = hex->blocksize; address = saveaddress; } } -- 2.47.3