This is the mail archive of the glibc-bugs@sources.redhat.com mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug libc/756] missing arithmetic overflow check

From: "simon at josefsson dot org" <sourceware-bugzilla at sources dot redhat dot com>
To: glibc-bugs at sources dot redhat dot com
Date: 23 Feb 2005 23:28:32 -0000
Subject: [Bug libc/756] missing arithmetic overflow check
References: <20050222195246.756.simon@josefsson.org>
Reply-to: sourceware-bugzilla at sources dot redhat dot com

------- Additional Comments From simon at josefsson dot org  2005-02-23 23:28 -------
No, I think the problem is if:

  size_t outbuf_size = (inbytes_remaining + 1) * MB_LEN_MAX;

results in 0, due to some overflow in the * operation.  I.e., let's say strlen
(p) is SIZE_MAX / MB_LEN_MAX - 1.  Then outbuf_size would be 0, and then

  size_t outbytes_remaining = outbuf_size - 1; /* -1 for NUL */

outbytes_remaining would be SIZE_MAX, which leads to a buffer overrun because
iconv will think the buffer is SIZE_MAX large, but the allocated size is only 0.

I could be mistaken though, I find the issues slightly subtle at times.


-- 


http://sources.redhat.com/bugzilla/show_bug.cgi?id=756

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

References:
- [Bug libc/756] New: missing arithmetic overflow check
  - From: simon at josefsson dot org

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]