From 632bbe475c2d948cdae4eaba3367b9e65c5ff141 Mon Sep 17 00:00:00 2001 From: Saagar Jha Date: Mon, 10 Apr 2023 01:29:07 -0700 Subject: [PATCH 1/2] Avoid reading too much data in xs_data_new --- xs.h | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/xs.h b/xs.h index 2fc7dda..fef91b7 100644 --- a/xs.h +++ b/xs.h @@ -1057,12 +1057,12 @@ xs_data *xs_data_new(const void *data, int size) xs_data *v; /* add the overhead (data type + 24bit size) */ - size += 4; + int total_size = size + 4; - v = xs_realloc(NULL, _xs_blk_size(size)); + v = xs_realloc(NULL, _xs_blk_size(total_size)); v[0] = XSTYPE_DATA; - _xs_put_24b(v + 1, size); + _xs_put_24b(v + 1, total_size); memcpy(&v[4], data, size); From ea9c030249cb3db7a923c8e546df9897e0a39384 Mon Sep 17 00:00:00 2001 From: Saagar Jha Date: Mon, 10 Apr 2023 01:34:48 -0700 Subject: [PATCH 2/2] Fix heap overflow from curl-originating buffers Most of xs.h seems to expect that buffers are rounded up to block size, so we should preserve that invariant here. (In particular, xs_expand will avoid calling xs_realloc if the new size fits in the same block, which means that if we don't pad out the data it will expand out of the memory we're allocated.) --- xs_curl.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xs_curl.h b/xs_curl.h index e880a0d..ca90f92 100644 --- a/xs_curl.h +++ b/xs_curl.h @@ -55,7 +55,7 @@ static int _data_callback(void *buffer, size_t size, /* open space */ pd->size += sz; - pd->data = xs_realloc(pd->data, pd->size + 1); + pd->data = xs_realloc(pd->data, _xs_blk_size(pd->size + 1)); /* copy data */ memcpy(pd->data + pd->offset, buffer, sz);