This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug libc/19669] New: Missing Sanity Checks for malloc()/calloc() plus possible null pointer dereference (CWE-476)
- From: "wp02855 at gmail dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Thu, 18 Feb 2016 21:07:41 +0000
- Subject: [Bug libc/19669] New: Missing Sanity Checks for malloc()/calloc() plus possible null pointer dereference (CWE-476)
- Auto-submitted: auto-generated
https://sourceware.org/bugzilla/show_bug.cgi?id=19669
Bug ID: 19669
Summary: Missing Sanity Checks for malloc()/calloc() plus
possible null pointer dereference (CWE-476)
Product: glibc
Version: 2.22
Status: NEW
Severity: normal
Priority: P2
Component: libc
Assignee: unassigned at sourceware dot org
Reporter: wp02855 at gmail dot com
CC: drepper.fsp at gmail dot com
Target Milestone: ---
Created attachment 9007
--> https://sourceware.org/bugzilla/attachment.cgi?id=9007&action=edit
patch file for above bug report (diff -u)
In directory 'glib-2.22/posix'. file 'regcomp.c', there appear to be
some instances of calls to calloc() and malloc() which are not
checked for a return value of NULL, indicating failure. Additionally,
functions like strncpy() and mempcpy() are called immediately after
the calls to malloc()/calloc() which could result in a segmentation
fault/violation.
The patch file below should address/correct these issues:
--- regcomp.c.orig 2016-02-17 17:24:30.746970756 -0800
+++ regcomp.c 2016-02-17 17:28:15.680558658 -0800
@@ -775,6 +775,8 @@
#ifdef DEBUG
/* Note: length+1 will not overflow since it is checked in init_dfa. */
dfa->re_str = re_malloc (char, length + 1);
+ if (dfa->re_str == NULL)
+ return REG_ESPACE;
strncpy (dfa->re_str, pattern, length + 1);
#endif
@@ -849,6 +851,8 @@
dfa->nodes_alloc = pat_len + 1;
dfa->nodes = re_malloc (re_token_t, dfa->nodes_alloc);
+ if (dfa->nodes == NULL)
+ return REG_ESPACE;
/* table_size = 2 ^ ceil(log pat_len) */
for (table_size = 1; ; table_size <<= 1)
@@ -856,6 +860,8 @@
break;
dfa->state_table = calloc (sizeof (struct re_state_table_entry),
table_size);
+ if (dfa->state_table == NULL)
+ return REG_ESPACE;
dfa->state_hash_mask = table_size - 1;
dfa->mb_cur_max = MB_CUR_MAX;
--
You are receiving this mail because:
You are on the CC list for the bug.