Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 30 Jan 2025 20:33:30 +0000
From:      bugzilla-noreply@freebsd.org
To:        bugs@FreeBSD.org
Subject:   [Bug 284472] bspatch(1): still one "attack vector"
Message-ID:  <bug-284472-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D284472

            Bug ID: 284472
           Summary: bspatch(1): still one "attack vector"
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: bin
          Assignee: bugs@FreeBSD.org
          Reporter: steffen@sdaoden.eu

i had shared the following in private already, but since the code has not b=
een
fixed i simply create a bug report.

<code>
 |The problem is that at the end of the loop there is a
 |
 |                  /* Adjust pointers */
 |  -               newpos+=3Dctrl[1];
 |  -               oldpos+=3Dctrl[2];
 |  +               newpos =3D add_off_t(newpos, ctrl[1]);
 |  +               oldpos =3D add_off_t(oldpos, ctrl[2]);
 |
 |but before that we have
 |
 |                  /* Add old data to diff string */
 |                  for (i =3D 0; i < ctrl[0]; i++)
 |  -                       if ((oldpos + i >=3D 0) && (oldpos + i < oldsiz=
e))
 |  +                       if (add_off_t(oldpos, i) < oldsize)
 |                                  new[newpos + i] +=3D old[oldpos + i];
 |
 |of if ctrl[2] is only "negative enough" then in the next loop tick
 |old will be accessed at a negative offset, i would think.
</code>

(I think analysis was right.)
btw i have created a "bsdipa" fork which is, i think, an iterated variant of
bsdiff/bspatch:

<code>
s-bsdipa (ZLIB; 0.5.3): create or apply binary difference patch

  s-bsdipa [!]patch    after  patch restored
  s-bsdipa [!]diff     before after patch
  s-bsdipa [!]xdiff    before after patch
  s-bsdipa [!]diff/VAL before after patch

The first uses "patch" to create "restored" from "after".
The latter create "patch" from the difference of "after" and "before";
they differ in the size of the "magic window": diff uses the built-in value,
xdiff uses 16, whereas diff/VAL expects a positive integer to be used inste=
ad.
An existing target is overwritten if the subcommand is prefixed with "!".
Some statistics are written on standard output.

. Patches use ZLIB compression.
</code>

Adding a zstd variant would be easy.

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-284472-227>