This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug libc/12583] fnmatch: integer overflow in computation of the required memory
- From: "thoger at redhat dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sources dot redhat dot com
- Date: Wed, 16 Mar 2011 15:19:33 +0000
- Subject: [Bug libc/12583] fnmatch: integer overflow in computation of the required memory
- Auto-submitted: auto-generated
- References: <bug-12583-131@http.sourceware.org/bugzilla/>
http://sourceware.org/bugzilla/show_bug.cgi?id=12583
--- Comment #1 from Tomas Hoger <thoger at redhat dot com> 2011-03-16 15:19:29 UTC ---
I believe a check like this should be consistent with how other integer
overflow checks are done in glibc:
--- fnmatch.c.orig
+++ fnmatch.c
@@ -370,7 +370,8 @@
{
prepare_wpattern:
n = mbsrtowcs (NULL, &pattern, 0, &ps);
- if (__builtin_expect (n == (size_t) -1, 0))
+ if (__builtin_expect (n == (size_t) -1
+ || n >= (size_t) -1 / sizeof(wchar_t) - 1, 0))
/* Something wrong.
XXX Do we have to set `errno' to something which mbsrtows hasn't
already done? */
@@ -414,7 +415,8 @@
{
prepare_wstring:
n = mbsrtowcs (NULL, &string, 0, &ps);
- if (__builtin_expect (n == (size_t) -1, 0))
+ if (__builtin_expect (n == (size_t) -1
+ || n >= (size_t) -1 / sizeof(wchar_t) - 1, 0))
/* Something wrong.
XXX Do we have to set `errno' to something which mbsrtows hasn't
already done? */
Or something like this for readability:
--- fnmatch.c.orig
+++ fnmatch.c
@@ -420,8 +420,11 @@
already done? */
goto free_return;
- wstring_malloc = wstring
- = (wchar_t *) malloc ((n + 1) * sizeof (wchar_t));
+ if (__builtin_expect (n >= (size_t) -1 / sizeof(wchar_t) - 1, 0))
+ wstring = NULL;
+ else
+ wstring_malloc = wstring
+ = (wchar_t *) malloc ((n + 1) * sizeof (wchar_t));
if (wstring == NULL)
{
free (wpattern_malloc);
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.