| commit | 6e4dd9ec3f14b48170fc45dc9d13a3261765f994 | |
| author | Joseph Griego <jgriego@fb.com> | |
| Mon, 14 Jan 2019 20:18:21 +0000 (14 12:18 -0800) | ||
| committer | Hhvm Bot <hhvm-bot@users.noreply.github.com> | |
| Mon, 14 Jan 2019 20:27:23 +0000 (14 12:27 -0800) | ||
| tree | 6cf57bef064b2b0c54ff3cd669b2ccd4f3ce6efb | treesnapshot (tar.gz zip) |
| parent | 50a1c8c05ef3955fbd0087f2028c7eb8e47063e1 | commitdiff |
CVE-2019-3557: Fix OOB read in readRecord on BZ2Files/OutputFiles
Summary:
These File subclasses return -1 on read errors which is not what is
expected for readImpl--this made File::readRecord behave unusually if the read
fails, causing it to read (size_t)(-1) bytes from its stream buffer; which,
unsurprisingly produces a out-of-bounds heap read.
Reviewed By: leikahing, jjgriego
Differential Revision: D13659395
fbshipit-source-id: 359ed6e3ff9f9cf49b752b666f51c4e0b3ce4b8a
Summary:
These File subclasses return -1 on read errors which is not what is
expected for readImpl--this made File::readRecord behave unusually if the read
fails, causing it to read (size_t)(-1) bytes from its stream buffer; which,
unsurprisingly produces a out-of-bounds heap read.
Reviewed By: leikahing, jjgriego
Differential Revision: D13659395
fbshipit-source-id: 359ed6e3ff9f9cf49b752b666f51c4e0b3ce4b8a
| hphp/runtime/base/output-file.cpp | diffblobblamehistory | |
| hphp/runtime/ext/bz2/bz2-file.cpp | diffblobblamehistory | |
| hphp/test/slow/oob_read_file.php | [new file with mode: 0644] | blob |
| hphp/test/slow/oob_read_file.php.expectf | [new file with mode: 0644] | blob |