This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug libc/14621] New: glob uses int rather than size_t for variables counting objects in memory
- From: "jsm28 at gcc dot gnu.org" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sources dot redhat dot com
- Date: Tue, 25 Sep 2012 15:43:58 +0000
- Subject: [Bug libc/14621] New: glob uses int rather than size_t for variables counting objects in memory
- Auto-submitted: auto-generated
http://sourceware.org/bugzilla/show_bug.cgi?id=14621
Bug #: 14621
Summary: glob uses int rather than size_t for variables
counting objects in memory
Product: glibc
Version: 2.16
Status: NEW
Severity: normal
Priority: P2
Component: libc
AssignedTo: unassigned@sourceware.org
ReportedBy: jsm28@gcc.gnu.org
CC: drepper.fsp@gmail.com
Classification: Unclassified
glob uses int rather than size_t for variables called old_pathc and newcount,
which are assigned values from fields whose type is size_t (or arithmetic on
such size_t values).
I haven't attempted to construct a test showing incorrect behavior from glob
resulting from these size_t values overflowing the range of int, but I suspect
that it would be possible to produce exploitable memory corruption, given a
64-bit system with several tens of GB of memory and a privileged process using
glob with an untrusted pattern and filesystem contents.
The variable depth in next_brace_sub is unsigned int and similarly should be
size_t, though that looks less likely to be exploitable.
Testing a patch.
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.