From 534b07a4c1980eac78c081504df483c4209c474b Mon Sep 17 00:00:00 2001 From: Kevin Day Date: Sat, 26 Jul 2025 16:24:48 -0500 Subject: [PATCH] Security: Invalid write in controller_entry_read() due to missing allocation. The `entry->items` must be increased when the `at` variable is increased. --- level_3/controller/c/entry/private-entry.c | 33 +++++++++++++++++++++++------- 1 file changed, 26 insertions(+), 7 deletions(-) diff --git a/level_3/controller/c/entry/private-entry.c b/level_3/controller/c/entry/private-entry.c index 8742d43..b0d7dba 100644 --- a/level_3/controller/c/entry/private-entry.c +++ b/level_3/controller/c/entry/private-entry.c @@ -1726,16 +1726,35 @@ extern "C" { continue; } - else if (entry->items.used) { - at = entry->items.used++; - } else { + if (entry->items.used) { + status = controller_entry_items_increase_by(controller_common_allocation_small_d, &entry->items); + + if (F_status_is_error(status)) { + controller_entry_print_error(is_entry, global.main->error, cache->action, F_status_set_fine(status), "controller_entry_items_increase_by", F_true, global.thread); + + break; + } - // skip position 0, which is reserved for "main". - entry->items.array[0].name.used = 0; + at = entry->items.used++; + } + else { + if (entry->items.size < 2) { + status = controller_entry_items_increase_by(2, &entry->items); - at = 1; - entry->items.used = 2; + if (F_status_is_error(status)) { + controller_entry_print_error(is_entry, global.main->error, cache->action, F_status_set_fine(status), "controller_entry_items_increase_by", F_true, global.thread); + + break; + } + } + + // skip position 0, which is reserved for "main". + entry->items.array[0].name.used = 0; + + at = 1; + entry->items.used = 2; + } } entry->items.array[at].line = cache->action.line_item; -- 1.8.3.1