This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug stdio/17269] New: _IO_wstr_overflow integer overflow
- From: "jsm28 at gcc dot gnu.org" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Thu, 14 Aug 2014 16:45:08 +0000
- Subject: [Bug stdio/17269] New: _IO_wstr_overflow integer overflow
- Auto-submitted: auto-generated
https://sourceware.org/bugzilla/show_bug.cgi?id=17269
Bug ID: 17269
Summary: _IO_wstr_overflow integer overflow
Product: glibc
Version: 2.19
Status: NEW
Severity: normal
Priority: P2
Component: stdio
Assignee: unassigned at sourceware dot org
Reporter: jsm28 at gcc dot gnu.org
libio/wstrops.c:_IO_wstr_overflow does:
_IO_size_t new_size = 2 * old_wblen + 100;
if (new_size < old_wblen)
return EOF;
new_buf
= (wchar_t *) (*((_IO_strfile *) fp)->_s._allocate_buffer)
(new_size
*
sizeof (wchar_t));
This allows for overflow in calculating the new size in wide characters, but
not for overflow in the multiplication to compute the size in bytes, which
could thus overflow and result in a buffer overrun copying data into the new
buffer.
(I don't know about the practical exploitability with a stream opened with
open_wmemstream. At the doubling before the one resulting in the overflow
you'd have buffers of (nearly) 1/4 and 1/2 of the address space or more
allocated simultaneously, so it needs to be possible to allocate 3/4 of the
address space in those two contiguous regions in order to get to the point
where the overflow occurs.)
--
You are receiving this mail because:
You are on the CC list for the bug.