This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug libc/15672] New: error_tail overflow in allocation calculation
- From: "jsm28 at gcc dot gnu.org" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Mon, 24 Jun 2013 19:58:52 +0000
- Subject: [Bug libc/15672] New: error_tail overflow in allocation calculation
- Auto-submitted: auto-generated
http://sourceware.org/bugzilla/show_bug.cgi?id=15672
Bug ID: 15672
Summary: error_tail overflow in allocation calculation
Product: glibc
Version: 2.17
Status: NEW
Severity: normal
Priority: P2
Component: libc
Assignee: unassigned at sourceware dot org
Reporter: jsm28 at gcc dot gnu.org
CC: drepper.fsp at gmail dot com
misc/error.c:error_tail, in the conversion code for when stderr is
wide-oriented, calculates an allocation size as (len * sizeof (wchar_t))
without checking if that might overflow, as it would for a 1GB string on a
32-bit system.
It seems unlikely for an application to call error with an untrusted error
string that is nevertheless known to be a valid printf format string (if it's
not checked to be a valid format string, at least without %n, there's a much
more simple exploit), but obviously such an allocation should be checked in any
case.
--
You are receiving this mail because:
You are on the CC list for the bug.