This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug libc/15672] New: error_tail overflow in allocation calculation

From: "jsm28 at gcc dot gnu.org" <sourceware-bugzilla at sourceware dot org>
To: glibc-bugs at sourceware dot org
Date: Mon, 24 Jun 2013 19:58:52 +0000
Subject: [Bug libc/15672] New: error_tail overflow in allocation calculation
Auto-submitted: auto-generated

http://sourceware.org/bugzilla/show_bug.cgi?id=15672

            Bug ID: 15672
           Summary: error_tail overflow in allocation calculation
           Product: glibc
           Version: 2.17
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
          Assignee: unassigned at sourceware dot org
          Reporter: jsm28 at gcc dot gnu.org
                CC: drepper.fsp at gmail dot com

misc/error.c:error_tail, in the conversion code for when stderr is
wide-oriented, calculates an allocation size as (len * sizeof (wchar_t))
without checking if that might overflow, as it would for a 1GB string on a
32-bit system.

It seems unlikely for an application to call error with an untrusted error
string that is nevertheless known to be a valid printf format string (if it's
not checked to be a valid format string, at least without %n, there's a much
more simple exploit), but obviously such an allocation should be checked in any
case.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]