This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug libc/14459] New: strtod integer and buffer overflows
- From: "jsm28 at gcc dot gnu.org" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sources dot redhat dot com
- Date: Sun, 12 Aug 2012 18:23:06 +0000
- Subject: [Bug libc/14459] New: strtod integer and buffer overflows
- Auto-submitted: auto-generated
http://sourceware.org/bugzilla/show_bug.cgi?id=14459
Bug #: 14459
Summary: strtod integer and buffer overflows
Product: glibc
Version: 2.16
Status: NEW
Severity: normal
Priority: P2
Component: libc
AssignedTo: unassigned@sourceware.org
ReportedBy: jsm28@gcc.gnu.org
CC: drepper.fsp@gmail.com
Classification: Unclassified
strtod and related functions have integer overflow bugs resulting from the use
of "int" for internal variables and calculations where the actual values
involved may exceed the range of int. These integer overflows can in turn
result in buffer overflow on the stack. The following testcase illustrates
such a buffer overflow. Testing a patch. (I found this issue while working on
the fix for bug 3479.)
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#define EXPONENT "e-2147483649"
#define SIZE 214748364
int
main (void)
{
char *p = malloc (1 + SIZE + sizeof (EXPONENT));
if (p == NULL)
{
perror ("malloc");
exit (EXIT_FAILURE);
}
p[0] = '1';
memset (p + 1, '0', SIZE);
memcpy (p + 1 + SIZE, EXPONENT, sizeof (EXPONENT));
double d = strtod (p, NULL);
printf ("%a\n", d);
exit (EXIT_SUCCESS);
}
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.