This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug libc/18032] New: buffer overflow (read past end of buffer) in internal_fnmatch
- From: "konstantin.s.serebryany at gmail dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Thu, 26 Feb 2015 02:43:38 +0000
- Subject: [Bug libc/18032] New: buffer overflow (read past end of buffer) in internal_fnmatch
- Auto-submitted: auto-generated
https://sourceware.org/bugzilla/show_bug.cgi?id=18032
Bug ID: 18032
Summary: buffer overflow (read past end of buffer) in
internal_fnmatch
Product: glibc
Version: 2.21
Status: NEW
Severity: normal
Priority: P2
Component: libc
Assignee: unassigned at sourceware dot org
Reporter: konstantin.s.serebryany at gmail dot com
CC: drepper.fsp at gmail dot com
#include <fnmatch.h>
#include <string.h>
int main(int argc, const char* argv[]) {
const char text[] = {44, 92, 91, 44, 91, 46, 0};
const char p[] = {91, 44, 91, 46, 0};
const char *Pat = strdup(p);
fnmatch(Pat, text, 0);
}
gcc -g fn2.c && valgrind ./a.out # 2.19
==32342== Invalid read of size 1
==32342== at 0x4EFEF92: internal_fnmatch (fnmatch_loop.c:965)
==32342== by 0x4EFFF71: fnmatch@@GLIBC_2.2.5 (fnmatch.c:458)
==32342== by 0x400663: main (fn2.c:7)
==32342== Address 0x51fc045 is 0 bytes after a block of size 5 alloc'd
==32342== at 0x4C2ABBD: malloc (vg_replace_malloc.c:296)
==32342== by 0x4EBF3C9: strdup (strdup.c:42)
==32342== by 0x400647: main (fn2.c:6)
Reproduced on 2.19 and on fresh trunk;
initially found with an experimental AddressSanitizer build of glibc and
a coverage guided fuzzer.
# trunk
==32737==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60200000eff5 at pc 0x7f0bc10c9588 bp 0x7fff4676fef0 sp 0x7fff4676fee8
READ of size 1 at 0x60200000eff5 thread T0
#0 0x7f0bc10c9587 in internal_fnmatch posix/./fnmatch_loop.c:951:8
#1 0x7f0bc10b3014 in __GI_fnmatch posix/fnmatch.c:458:10
#2 0x4c1e3f in main
0x60200000eff5 is located 0 bytes to the right of 5-byte region
[0x60200000eff0,0x60200000eff5)
allocated by thread T0 here:
#0 0x48d23c in __interceptor_strdup
#1 0x4c1dfe in main
See also https://sourceware.org/bugzilla/show_bug.cgi?id=17062 -- a different
bug somewhere similar.
--
You are receiving this mail because:
You are on the CC list for the bug.