This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

[Bug stdio/14286] New: Integer overflow in computing allocation size in vfwprintf %s handling


http://sourceware.org/bugzilla/show_bug.cgi?id=14286

             Bug #: 14286
           Summary: Integer overflow in computing allocation size in
                    vfwprintf %s handling
           Product: glibc
           Version: unspecified
            Status: NEW
          Severity: normal
          Priority: P2
         Component: stdio
        AssignedTo: unassigned@sourceware.org
        ReportedBy: bugdal@aerifal.cx
    Classification: Unclassified


Lines 1050-1052 of vfprintf.c (used for vfwprintf) contain an integer overflow
computing the allocation size for a wide string buffer:

    if (__libc_use_alloca (len * sizeof (wchar_t)))
      string = (CHAR_T *) alloca (len * sizeof (wchar_t));
    else if ((string = (CHAR_T *) malloc (len * sizeof (wchar_t)))

If len (the computed strlen of the input string) is at least 1GB on a 32-bit
machine, the multiplication overflows and results in an allocation too small
for the string. The undersized buffer is later passed as the destination to
__mbsrtowcs.

I originally assumed this would be highly exploitable: unlike with many
under-allocation bugs, you should be able to control how much is written by
including an invalid multibyte sequence in the input where you want copying to
stop, so that the overflow does not run off the end of valid writable memory
and segfault. However, it turns out mbsrtowcs_l.c has the exact same overflow
at line 113:

   data.__outbufend = data.__outbuf + len * sizeof (wchar_t);

thereby causing it to write no more data than vfwprintf allocated space for.

In any case, this overflow still leads to incorrect behavior. I will upload a
test case right away.

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]