This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: URGENT: patch to fix buffer overflow in cygwin1.dll in versions 1.7.2 to 1.7.5


On Apr 13 09:47, John Bowman wrote:
> A serious buffer flow was introduced over 2 years ago (-r1.141 2008/02/14)
> when support for wide characters was added. The change below unleashed
> this bug, leading to random segmentation faults on forking when using
> cygwin 1.7.2 to 1.7.5 (e.g. when running kpsewhich or asymptote):
> 
> 2009-12-18  Corinna Vinschen  <OUTCH>

Outch!  Please do NOT quote raw email addresses in your mail.  I, for
one, am getting already more than enough spam as it is today.  Thanks for
considering.

> I recommend releasing a new cygwin1.dll as soon as possible.
> As an interim solution, I have applied the patch below and compiled it as
> the cygwin1.dll that ships with Asymptote-1.92:
> 
> https://sourceforge.net/projects/asymptote/files/asymptote/1.92/asymptote-1.92-setup.exe/download

Any chance you can just point to the Cygwin distro and prepare a
download area for your package instead of packing your own Cygwin?

> diff -ru cygwin.broken/cygheap.cc cygwin/cygheap.cc
> --- cygwin.broken/cygheap.cc	2009-10-03 05:28:04.000000000 -0700
> +++ cygwin/cygheap.cc	2010-04-12 05:43:47.640625000 -0700
> @@ -363,7 +363,7 @@
>  cwcsdup (const PWCHAR s)
>  {
>    MALLOC_CHECK;
> -  PWCHAR p = (PWCHAR) cmalloc (HEAP_STR, wcslen (s) + 1);
> +  PWCHAR p = (PWCHAR) cmalloc (HEAP_STR, (wcslen (s) + 1) * sizeof(wchar_t));
>    if (!p)
>      return NULL;
>    wcpcpy (p, s);
> @@ -375,7 +375,7 @@
>  cwcsdup1 (const PWCHAR s)
>  {
>    MALLOC_CHECK;
> -  PWCHAR p = (PWCHAR) cmalloc (HEAP_1_STR, wcslen (s) + 1);
> +  PWCHAR p = (PWCHAR) cmalloc (HEAP_1_STR, (wcslen (s) + 1) * sizeof(wchar_t));

Thanks for the patch.  I've applied it to CVS, just changed wchar_t to
WCHAR to match the rest of the function.  Fortunaltey this only affects
read access to /proc/registry so it's not *that* urgent.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]