Change #262844
| Category | libpcap |
| Changed by | Denis Ovsienko <denis@ovsienko.info> |
| Changed at | Sat 28 Mar 2026 12:50:50 |
| Repository | https://git.tcpdump.org/libpcap |
| Project | libpcap |
| Branch | master |
| Revision | 6cbce587926aa9e4c5a7749e41813f4ff1971578 |
Comments
Keep compiler_state_t.cur_chunk less than NCHUNKS. When newchunk_nolongjmp() finds that the current chunk does not have enough free space for the requested data size, it allocates the next chunk if the chunk count limit has not been reached, otherwise it returns an error. As Aniruddhan Murali from University of Waterloo points it out, in the latter case it also increments the chunk index beyond the end of the array, which potentially could cause an OOBR in a subsequent invocation of the function and snowball from there. However, the current definition of struct compiler_state_t means the first such subsequent invocation would read out of the array bounds, but still from within the structure and would always return an error. The only code path where this was possible always terminated parsing on the error, and no longer exists since commit 6fe3ac3, so by coincidence this bug has been harmless for a long time, if not always. To make this code obviously safe, first check that the current chunk is not the last, only then increment the chunk index, not the opposite way around. While at it, make the error message more useful for any future debugging and access the current chunk index without an intermediate variable.
Changed files
- gencode.c