Bug #20359808 - OUT OF BOUNDS WRITE (OFF BY ONE)

Shishir Jaiswal · Shishir Jaiswal · commit 1cdd3b832ae3 · 2015-05-26T10:56:29.000+05:30
DESCRIPTION
===========
/strings/ctype.c:

In cs_value() for one of the cases (Rules: Context), the
length check condition is flawed. With current behaviour
it allows the program to write even if length of "attribute"
is equal to size of "context" which results in memory
corruption. This happens since the extra terminating NULL
is written at the start of the adjacent variable.

ANALYSIS
========
The program should allow to write it only if the length of
former is less than size of latter. So the "+ 1" should be
dropped from the following condition:

if (len &lt; sizeof(i-&gt;context) + 1)

In the regular scenario when program writes well within its
boundary, this corruption doesn't happen.

FIX
===
Dropped "+ 1" from the condition so that the required check
is made correctly.
diff --git a/strings/ctype.c b/strings/ctype.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -752,7 +752,7 @@ static int cs_value(MY_XML_PARSER *st,const char *attr, size_t len)
 
   /* Rules: Context */
   case _CS_CONTEXT:
-    if (len < sizeof(i->context) + 1)
+    if (len < sizeof(i->context))
     {
       memcpy(i->context, attr, len);
       i->context[len]= '\0';
