This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [patch] Fix for heap overflow in wscanf (BZ 16618)
- From: Andreas Schwab <schwab at suse dot de>
- To: Paul Pluzhnikov <ppluzhnikov at google dot com>
- Cc: Rich Felker <dalias at libc dot org>, libc-alpha at sourceware dot org
- Date: Mon, 02 Feb 2015 11:03:16 +0100
- Subject: Re: [patch] Fix for heap overflow in wscanf (BZ 16618)
- Authentication-results: sourceware.org; auth=none
- References: <CALoOobPgvuBLTk4GzOchr792MHNi1yLgsO5Jqf8MPvY+bk544Q at mail dot gmail dot com> <20150202050906 dot GF23507 at brightrain dot aerifal dot cx> <CALoOobP5yEqB-oKUvPVJm0znonYJ_iM1q_uFBNT2sRojBguJ-A at mail dot gmail dot com>
Paul Pluzhnikov <ppluzhnikov@google.com> writes:
> diff --git a/stdio-common/vfscanf.c b/stdio-common/vfscanf.c
> index cd129a8..71cba38 100644
> --- a/stdio-common/vfscanf.c
> +++ b/stdio-common/vfscanf.c
> @@ -274,9 +274,17 @@ _IO_vfscanf_internal (_IO_FILE *s, const char *format, _IO_va_list argptr,
> CHAR_T *old = wp; \
> size_t newsize = (UCHAR_MAX + 1 > 2 * wpmax \
> ? UCHAR_MAX + 1 : 2 * wpmax); \
> - if (use_malloc || !__libc_use_alloca (newsize)) \
> + if (__glibc_unlikely (wpmax > SIZE_MAX / 2) \
> + || __glibc_unlikely (newsize > SIZE_MAX / sizeof (CHAR_T))) \
> { \
> - wp = realloc (use_malloc ? wp : NULL, newsize); \
> + if (use_malloc) \
> + free (old); \
> + done = EOF; \
> + goto errout; \
> + } \
You should set errno here.
Andreas.
--
Andreas Schwab, SUSE Labs, schwab@suse.de
GPG Key fingerprint = 0196 BAD8 1CE9 1970 F4BE 1748 E4D4 88E3 0EEA B9D7
"And now for something completely different."