This is the mail archive of the
glibc-bugs-regex@sourceware.org
mailing list for the glibc project.
[Bug regex/17062] New: fnmatch: buffer overflow read from pattern "[[:alpha:]'[:alpha:]"
- From: "konstantin.s.serebryany at gmail dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs-regex at sourceware dot org
- Date: Tue, 17 Jun 2014 15:22:24 +0000
- Subject: [Bug regex/17062] New: fnmatch: buffer overflow read from pattern "[[:alpha:]'[:alpha:]"
- Auto-submitted: auto-generated
https://sourceware.org/bugzilla/show_bug.cgi?id=17062
Bug ID: 17062
Summary: fnmatch: buffer overflow read from pattern
"[[:alpha:]'[:alpha:]"
Product: glibc
Version: 2.19
Status: NEW
Severity: normal
Priority: P2
Component: regex
Assignee: unassigned at sourceware dot org
Reporter: konstantin.s.serebryany at gmail dot com
CC: drepper.fsp at gmail dot com
Created attachment 7641
--> https://sourceware.org/bugzilla/attachment.cgi?id=7641&action=edit
fn1.c
Given the pattern "[[:alpha:]'[:alpha:]" and locale "en_US.UTF8" fnmatch()
will read at least 1 byte past the end of the pattern buffer (maybe more).
Initially found with ASAN-instrumented glibc, then confirmed without ASAN.
At least 2.19 and fresh trunk are affected.
ASAN report:
==8418==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000eff5
READ of size 1 at 0x60300000eff5 thread T0
#0 0x7f31375019f1 in internal_fnmatch glibc-2.19/posix/fnmatch_loop.c:918
#1 0x7f3137501cb7 in __GI_fnmatch glibc-2.19/posix/fnmatch.c:454
#2 0x4b364f in main fn1.c:14
0x60300000eff5 is located 0 bytes to the right of 21-byte region
[0x60300000efe0,0x60300000eff5)
allocated by thread T0 here:
#0 0x494ff9 in malloc
#1 0x7f31374947a5 in __GI___strdup glibc-2.19/string/strdup.c:42
#2 0x4b363d in main fn1.c:12
Full reproducer attached.
Currently it's a bit tricky to build ASAN-instrumented glibc,
but this reproducer happily crashes w/o any tool.
#0 0x7fee9d62d443 in internal_fnmatch glibc-trunk/posix/fnmatch_loop.c:903
#1 0x7fee9d62dedd in __GI_fnmatch glibc-trunk/posix/fnmatch.c:454
#2 0x4b3012 in main fn1.c:30
--
You are receiving this mail because:
You are on the CC list for the bug.