Comments (9)
It looks like the packager did enable extra hardening options, I'd take this issue to https://bugs.opensuse.org
from editorconfig-core-c.
My initial guess was that the quite long lines 31, 135, 153 and 171 were the problem. They all are over 2200 chars long. But apparently they were parsed just fine.
The ij_php_array_initializer_new_line_after_left_brace
at line 303 mentioned in the trace is 50 chars long, but before that keys longer do exist, for instance ij_coffeescript_method_parameters_new_line_after_left_paren
at line 231 is 59 chars long.
Currently in the specs is a hard limit of 50 for keys and 255 for values. There has been a discussion in editorconfig/editorconfig#429 to increase the fixed lengths in the specs, but that hasn't yet let to any merged PR at this moment.
editorconfig/specification#21
editorconfig/editorconfig-core-test#41
from editorconfig-core-c.
A easy way to reproduce it.
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index d030664..05970b7 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -85,6 +85,9 @@ if(MSVC)
add_definitions("-J")
else()
add_definitions("-funsigned-char")
+ add_definitions("-D_FORTIFY_SOURCE=1")
+ add_definitions("-O2")
+ add_definitions("-Wall")
endif()
add_subdirectory(lib)
from editorconfig-core-c.
While #74 avoids the overflow and resulting crash, it means that any of the affected keys are silently ignored or overwrite the values of other keys, which is a misbehaviour. While this only affects files which technically violate the specification, there's no way to tell those apart from valid ones. Please reconsider whether this issue is really fixed.
from editorconfig-core-c.
@Vogtinator This is intended to be truncated. See the specification:
The maximum length of a pair key is 50 characters and the maximum length of a pair value is 255 characters. Any key or value beyond these limits shall be ignored.
from editorconfig-core-c.
According to the specs it is fixed. See my comment above for the related issue and PRs about fixing the issue in the specs.
Once the specs are updated the cores should be updated accordingly.
from editorconfig-core-c.
According to the specs it is fixed. See my comment above for the related issue and PRs about fixing the issue in the specs.
No, it's clearly violating the spec. The spec says:
Any key or value beyond these limits shall be ignored.
Truncation is the opposite of ignoring. In this case it assigns the values into a different key.
from editorconfig-core-c.
Sorry for the confusion. I think you are right. The test is consistent with your interpretation of the specification (see the relevant lines in limits.in: the test case is testing whether the core library is properly ignoring the 51-char long key).
The C core test is passing this test, which means that it has already been acting properly. The resolving PR merely fixed the overflow issue (the insufficiently allocated array size).
from editorconfig-core-c.
I ran editorconfig through a debugger and can confirm that it's actually ignoring the keys properly indeed.
The reason for my confusion there was that the check for the length happens in ini_parse_file
, so before array_editorconfig_name_value_add
is actually called. I thought that was not the case, because otherwise the overflow couldn't happen, but there's simply a off-by-one error between the check in ini_parse_file
and array_editorconfig_name_value_add
which resulted in writing the null-terminator one past the array.
Sorry for the noise and thanks for the quick fix!
from editorconfig-core-c.
Related Issues (20)
- Bug: Star is not treated as a literal character inside brackets HOT 4
- Bug: 0 is not considered a valid number for {num1..num2} HOT 2
- Option to use POSIX regex instead of PCRE HOT 6
- Brace pairing check in ec_glob.c incorrect? HOT 8
- Unchecked malloc return value
- Header files define reserved identifiers
- Usage of atoi() invokes undefined behaviour on integer overflow
- .editorconfig files with syntax errors can cause property lookup to fail, even if the file is in a directory beneath the "root" config HOT 2
- Clarify dependencies
- Glob: Handling of `?` HOT 7
- Chocolatey package is out of date
- `editorconfig_parse()` leaks memory when no `.editorconfig` files are found or there are no values HOT 1
- 0.12.5: BUILD_STATICALLY_LINKED_EXE=OFF and static library is build and installed HOT 3
- Unexpected behavior on trailing slash HOT 1
- flatpak-builder: 'submodule' is not a git command HOT 1
- Missing MIT license text for CMake_Modules/FindPCRE2.cmake HOT 1
- Path to using a system copy of inih? HOT 2
- Not passing -vsver to subsequent calls of build.ps1
- Path splitting algorithm isn't UNC-aware
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from editorconfig-core-c.