This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug libc/19669] New: Missing Sanity Checks for malloc()/calloc() plus possible null pointer dereference (CWE-476)

From: "wp02855 at gmail dot com" <sourceware-bugzilla at sourceware dot org>
To: glibc-bugs at sourceware dot org
Date: Thu, 18 Feb 2016 21:07:41 +0000
Subject: [Bug libc/19669] New: Missing Sanity Checks for malloc()/calloc() plus possible null pointer dereference (CWE-476)
Auto-submitted: auto-generated

https://sourceware.org/bugzilla/show_bug.cgi?id=19669

            Bug ID: 19669
           Summary: Missing Sanity Checks for malloc()/calloc() plus
                    possible null pointer dereference (CWE-476)
           Product: glibc
           Version: 2.22
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
          Assignee: unassigned at sourceware dot org
          Reporter: wp02855 at gmail dot com
                CC: drepper.fsp at gmail dot com
  Target Milestone: ---

Created attachment 9007
  --> https://sourceware.org/bugzilla/attachment.cgi?id=9007&action=edit
patch file for above bug report (diff -u)

In directory 'glib-2.22/posix'. file 'regcomp.c', there appear to be
some instances of calls to calloc() and malloc() which are not
checked for a return value of NULL, indicating failure.  Additionally,
functions like strncpy() and mempcpy() are called immediately after
the calls to malloc()/calloc() which could result in a segmentation
fault/violation.

The patch file below should address/correct these issues:

--- regcomp.c.orig      2016-02-17 17:24:30.746970756 -0800
+++ regcomp.c   2016-02-17 17:28:15.680558658 -0800
@@ -775,6 +775,8 @@
 #ifdef DEBUG
   /* Note: length+1 will not overflow since it is checked in init_dfa.  */
   dfa->re_str = re_malloc (char, length + 1);
+  if (dfa->re_str == NULL)
+    return REG_ESPACE;
   strncpy (dfa->re_str, pattern, length + 1);
 #endif

@@ -849,6 +851,8 @@

   dfa->nodes_alloc = pat_len + 1;
   dfa->nodes = re_malloc (re_token_t, dfa->nodes_alloc);
+  if (dfa->nodes == NULL)
+    return REG_ESPACE;

   /*  table_size = 2 ^ ceil(log pat_len) */
   for (table_size = 1; ; table_size <<= 1)
@@ -856,6 +860,8 @@
       break;

   dfa->state_table = calloc (sizeof (struct re_state_table_entry),
table_size);
+  if (dfa->state_table == NULL)
+    return REG_ESPACE;
   dfa->state_hash_mask = table_size - 1;

   dfa->mb_cur_max = MB_CUR_MAX;

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]