This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug libc/14547] New: strcoll integer / buffer overflow
- From: "jsm28 at gcc dot gnu.org" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sources dot redhat dot com
- Date: Wed, 05 Sep 2012 20:59:31 +0000
- Subject: [Bug libc/14547] New: strcoll integer / buffer overflow
- Auto-submitted: auto-generated
http://sourceware.org/bugzilla/show_bug.cgi?id=14547
Bug #: 14547
Summary: strcoll integer / buffer overflow
Product: glibc
Version: 2.16
Status: NEW
Severity: normal
Priority: P2
Component: libc
AssignedTo: unassigned@sourceware.org
ReportedBy: jsm28@gcc.gnu.org
CC: drepper.fsp@gmail.com
Classification: Unclassified
The code in string/strcoll_l.c that computes a memory allocation size as (s1len
+ s2len) * (sizeof (int32_t) + 1) fails to allow for possible integer overflow
in this computation. On a 32-bit host this can cause too-small allocations and
consequent buffer overflow if the strings total more than 0.8GB. Testcase:
#include <locale.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#define SIZE 429496730
int
main (void)
{
char *p = malloc (1 + SIZE);
if (setlocale (LC_COLLATE, "en_GB.UTF-8") == NULL)
{
puts ("setlocale failed, cannot test for overflow");
return 0;
}
if (p == NULL)
{
puts ("malloc failed, cannot test for overflow");
return 0;
}
memset (p, 'x', SIZE);
p[SIZE] = 0;
printf ("%d\n", strcoll (p, p));
return 0;
}
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.