This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

[Bug glob/22332] WRITE heap-buffer-overflow in glob()


https://sourceware.org/bugzilla/show_bug.cgi?id=22332

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |UNCONFIRMED
                 CC|                            |fweimer at redhat dot com
         Resolution|DUPLICATE                   |---
              Flags|                            |security+

--- Comment #2 from Florian Weimer <fweimer at redhat dot com> ---
No, the crash happens on line 868 here:

    848               if (unescape != NULL)
    849                 {
    850                   char *p = mempcpy (newp, dirname + 1,
    851                                      unescape - dirname - 1);
    852                   char *q = unescape;
    853                   while (*q != '\0')
    854                     {
    855                       if (*q == '\\')
    856                         {
    857                           if (q[1] == '\0')
    858                             {
    859                               /* "~fo\\o\\" unescape to user_name
"foo\\",
    860                                  but "~fo\\o\\/" unescape to user_name
    861                                  "foo".  */
    862                               if (filename == NULL)
    863                                 *p++ = '\\';
    864                               break;
    865                             }
    866                           ++q;
    867                         }
    868                       *p++ = *q++;
    869                     }
    870                   *p = '\0';
    871                 }

The crash is obscured in glibc because it uses alloca, so you need to add more
data to the name before the overflow can be observed with valgrind.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]