This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug libc/13656] New: vfprintf nargs integer overflow

From: "kees at outflux dot net" <sourceware-bugzilla at sourceware dot org>
To: glibc-bugs at sources dot redhat dot com
Date: Thu, 02 Feb 2012 20:52:43 +0000
Subject: [Bug libc/13656] New: vfprintf nargs integer overflow
Auto-submitted: auto-generated

http://sourceware.org/bugzilla/show_bug.cgi?id=13656

             Bug #: 13656
           Summary: vfprintf nargs integer overflow
           Product: glibc
           Version: unspecified
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
        AssignedTo: drepper.fsp@gmail.com
        ReportedBy: kees@outflux.net
    Classification: Unclassified


The nargs value can overflow when doing allocations, and argument-based offsets
are not bounds-checked, allowing arbitrary memory writes via format strings,
bypassing _FORTIFY_SOURCE protections:

http://www.phrack.org/issues.html?issue=67&id=9

Patch in progress:
http://cygwin.com/ml/libc-alpha/2012-02/msg00016.html

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

Follow-Ups:
- [Bug libc/13656] vfprintf nargs integer overflow
  - From: thoger at redhat dot com
- [Bug stdio/13656] vfprintf nargs integer overflow
  - From: jsm28 at gcc dot gnu.org

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]