This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [patch] Fix for heap overflow in wscanf (BZ 16618)
- From: Rich Felker <dalias at libc dot org>
- To: libc-alpha at sourceware dot org
- Date: Mon, 2 Feb 2015 00:09:06 -0500
- Subject: Re: [patch] Fix for heap overflow in wscanf (BZ 16618)
- Authentication-results: sourceware.org; auth=none
- References: <CALoOobPgvuBLTk4GzOchr792MHNi1yLgsO5Jqf8MPvY+bk544Q at mail dot gmail dot com>
On Sun, Feb 01, 2015 at 12:52:48PM -0800, Paul Pluzhnikov wrote:
> Greetings,
>
> Attached patch is a rather obvious fix for BZ 16618.
> I believe this bug deserves a CVE (I've asked for one), and the fix
> should definitely go into 2.21.
>
> Tested on Linux/x86_64, no new failures.
> * A new semaphore algorithm has been implemented in generic C code for all
> machines. Previous custom assembly implementations of semaphore were
> diff --git a/stdio-common/vfscanf.c b/stdio-common/vfscanf.c
> index cd129a8..b2ad0c5 100644
> --- a/stdio-common/vfscanf.c
> +++ b/stdio-common/vfscanf.c
> @@ -274,9 +274,9 @@ _IO_vfscanf_internal (_IO_FILE *s, const char *format, _IO_va_list argptr,
> CHAR_T *old = wp; \
> size_t newsize = (UCHAR_MAX + 1 > 2 * wpmax \
> ? UCHAR_MAX + 1 : 2 * wpmax); \
> - if (use_malloc || !__libc_use_alloca (newsize)) \
> + if (use_malloc || !__libc_use_alloca (newsize * sizeof (CHAR_T))) \
> { \
> - wp = realloc (use_malloc ? wp : NULL, newsize); \
> + wp = realloc (use_malloc ? wp : NULL, newsize * sizeof (CHAR_T)); \
Offhand, the multiplication newsize * sizeof (CHAR_T) looks like a
potential integer overflow. Are you sure it's okay?
Rich