This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug libc/14552] Two security issues in strcoll() function
- From: "shaun.colley at ioactive dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sources dot redhat dot com
- Date: Thu, 06 Sep 2012 16:22:41 +0000
- Subject: [Bug libc/14552] Two security issues in strcoll() function
- Auto-submitted: auto-generated
- References: <bug-14552-131@http.sourceware.org/bugzilla/>
http://sourceware.org/bugzilla/show_bug.cgi?id=14552
--- Comment #1 from Shaun Colley <shaun.colley at ioactive dot com> 2012-09-06 16:22:41 UTC ---
I've pasted the more complete fragment of code for the unbounded alloca() issue
below.
/* We need this a few times. */
s1len = STRLEN (s1);
s2len = STRLEN (s2);
[ â ]
Please note that the localedef programs makes sure that `position'
is not used at the first level. */
if (! __libc_use_alloca ((s1len + s2len) * (sizeof (int32_t) + 1))) // [1]
if arithmetic is greater 65536, use malloc() instead of alloca()
{
idx1arr = (int32_t *) malloc ((s1len + s2len) * (sizeof (int32_t) + 1));
idx2arr = &idx1arr[s1len];
rule1arr = (unsigned char *) &idx2arr[s2len];
rule2arr = &rule1arr[s1len];
if (idx1arr == NULL)
/* No memory. Well, go with the stack then.
XXX Once this implementation is stable we will handle this
differently. Instead of precomputing the indeces we will
do this in time. This means, though, that this happens for
every pass again. */
goto try_stack;
use_malloc = 1;
}
else
{
try_stack:
idx1arr = (int32_t *) alloca (s1len * sizeof (int32_t));
idx2arr = (int32_t *) alloca (s2len * sizeof (int32_t));
rule1arr = (unsigned char *) alloca (s1len);
rule2arr = (unsigned char *) alloca (s2len);
}
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.