From 1d0e42879fa687a7b6856b1a63070e44bd8ed5c4 Mon Sep 17 00:00:00 2001 From: Tuomas Tynkkynen Date: Mon, 19 Feb 2018 17:32:11 +0200 Subject: [PATCH 1/3] libutil: Fix infinite loop in filterANSIEscapes on '\r' E.g. nix-instantiate --eval -E 'abort "\r"' hangs. Found by afl-fuzz. --- src/libutil/util.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/libutil/util.cc b/src/libutil/util.cc index f7a12d21b..341dedfdf 100644 --- a/src/libutil/util.cc +++ b/src/libutil/util.cc @@ -1216,7 +1216,7 @@ std::string filterANSIEscapes(const std::string & s, unsigned int width) else if (*i == '\r') // do nothing for now - ; + i++; else { t += *i++; w++; From 4ea9707591beceacf9988b3c185faf50da238403 Mon Sep 17 00:00:00 2001 From: Tuomas Tynkkynen Date: Mon, 19 Feb 2018 17:52:33 +0200 Subject: [PATCH 2/3] libexpr: Fix prim_replaceStrings() to work on an empty source string Otherwise, running e.g. nix-instantiate --eval -E --strict 'builtins.replaceStrings [""] ["X"] "abc"' would just hang in an infinite loop. Found by afl-fuzz. --- src/libexpr/primops.cc | 11 ++++++++--- tests/lang/eval-okay-replacestrings.exp | 2 +- tests/lang/eval-okay-replacestrings.nix | 2 ++ 3 files changed, 11 insertions(+), 4 deletions(-) diff --git a/src/libexpr/primops.cc b/src/libexpr/primops.cc index a800d2429..ab9351f11 100644 --- a/src/libexpr/primops.cc +++ b/src/libexpr/primops.cc @@ -1913,21 +1913,26 @@ static void prim_replaceStrings(EvalState & state, const Pos & pos, Value * * ar auto s = state.forceString(*args[2], context, pos); string res; - for (size_t p = 0; p < s.size(); ) { + // Loops one past last character to handle the case where 'from' contains an empty string. + for (size_t p = 0; p <= s.size(); ) { bool found = false; auto i = from.begin(); auto j = to.begin(); for (; i != from.end(); ++i, ++j) if (s.compare(p, i->size(), *i) == 0) { found = true; - p += i->size(); res += j->first; + if (i->empty()) { + res += s[p++]; + } else { + p += i->size(); + } for (auto& path : j->second) context.insert(path); j->second.clear(); break; } - if (!found) res += s[p++]; + if (!found && p < s.size()) res += s[p++]; } mkString(v, res, context); diff --git a/tests/lang/eval-okay-replacestrings.exp b/tests/lang/eval-okay-replacestrings.exp index a2add1b7b..590c281ac 100644 --- a/tests/lang/eval-okay-replacestrings.exp +++ b/tests/lang/eval-okay-replacestrings.exp @@ -1 +1 @@ -[ "faabar" "fbar" "fubar" "faboor" "fubar" ] +[ "faabar" "fbar" "fubar" "faboor" "fubar" "XaXbXcX" "X" ] diff --git a/tests/lang/eval-okay-replacestrings.nix b/tests/lang/eval-okay-replacestrings.nix index 6284a0e66..c84e9269f 100644 --- a/tests/lang/eval-okay-replacestrings.nix +++ b/tests/lang/eval-okay-replacestrings.nix @@ -5,4 +5,6 @@ with builtins; (replaceStrings ["oo"] ["u"] "foobar") (replaceStrings ["oo" "a"] ["a" "oo"] "foobar") (replaceStrings ["oo" "oo"] ["u" "i"] "foobar") + (replaceStrings [""] ["X"] "abc") + (replaceStrings [""] ["X"] "") ] From 546f98dace5c3569211caf392c9dde06a20aa7b0 Mon Sep 17 00:00:00 2001 From: Tuomas Tynkkynen Date: Mon, 19 Feb 2018 18:44:30 +0200 Subject: [PATCH 3/3] libutil: Fix invalid assert on decoding base64 hashes The assertion is broken because there is no one-to-one mapping from length of a base64 string to the length of the output. E.g. "1q69lz7Empb06nzfkj651413n9icx0njmyr3xzq1j9q=" results in a 32-byte output. "1q69lz7Empb06nzfkj651413n9icx0njmyr3xzq1j9qy" results in a 33-byte output. To reproduce, evaluate: builtins.derivationStrict { name = "0"; builder = "0"; system = "0"; outputHashAlgo = "sha256"; outputHash = "1q69lz7Empb06nzfkj651413n9icx0njmyr3xzq1j9qy"; } Found by afl-fuzz. --- src/libutil/hash.cc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/libutil/hash.cc b/src/libutil/hash.cc index 11e3c9dca..75e476755 100644 --- a/src/libutil/hash.cc +++ b/src/libutil/hash.cc @@ -189,7 +189,8 @@ Hash::Hash(const std::string & s, HashType type) else if (size == base64Len()) { auto d = base64Decode(std::string(s, pos)); - assert(d.size() == hashSize); + if (d.size() != hashSize) + throw BadHash("invalid base-64 hash '%s'", s); memcpy(hash, d.data(), hashSize); }