This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug glob/22332] WRITE heap-buffer-overflow in glob()
- From: "fweimer at redhat dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Sat, 21 Oct 2017 13:41:08 +0000
- Subject: [Bug glob/22332] WRITE heap-buffer-overflow in glob()
- Auto-submitted: auto-generated
- References: <bug-22332-131@http.sourceware.org/bugzilla/>
https://sourceware.org/bugzilla/show_bug.cgi?id=22332
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |UNCONFIRMED
CC| |fweimer at redhat dot com
Resolution|DUPLICATE |---
Flags| |security+
--- Comment #2 from Florian Weimer <fweimer at redhat dot com> ---
No, the crash happens on line 868 here:
848 if (unescape != NULL)
849 {
850 char *p = mempcpy (newp, dirname + 1,
851 unescape - dirname - 1);
852 char *q = unescape;
853 while (*q != '\0')
854 {
855 if (*q == '\\')
856 {
857 if (q[1] == '\0')
858 {
859 /* "~fo\\o\\" unescape to user_name
"foo\\",
860 but "~fo\\o\\/" unescape to user_name
861 "foo". */
862 if (filename == NULL)
863 *p++ = '\\';
864 break;
865 }
866 ++q;
867 }
868 *p++ = *q++;
869 }
870 *p = '\0';
871 }
The crash is obscured in glibc because it uses alloca, so you need to add more
data to the name before the overflow can be observed with valgrind.
--
You are receiving this mail because:
You are on the CC list for the bug.