• Carl-Daniel Hailfinger's avatar
    Fix fscanf format string security bug in layout.c · c1099d8f
    Carl-Daniel Hailfinger authored
    An internal security audit of the flashrom project by
    Carl-Daniel Hailfinger found a buffer overflow bug present in all
    flashrom versions since the year 2005.
    This bug was independently found and reported to flashrom.org by
    Cosmin Gorgovan a few days ago. 
    
    A buffer on the stack and a buffer on the heap are affected by the
    overflow caused by an incorrect fscanf format string.
    The buffer overflow can only be triggered if the optional layout feature
    is used and if the user manually specifies a specially crafted layout
    file on the command line. Command line parsing and flash image handling
    do not trigger the buggy code path.
    Most usage of flashrom does not involve layout files.
    
    The fix in this commit (changed fscanf format string) can be applied to
    layout.c of all past flashrom versions.
    
    Corresponding to flashrom svn r1953.
    Signed-off-by: default avatarCarl-Daniel Hailfinger <c-d.hailfinger.devel.2006@gmx.net>
    Acked-by: default avatarStefan Tauner <stefan.tauner@alumni.tuwien.ac.at>
    c1099d8f
layout.c 8.46 KB