This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug libc/19652] New: Missing sanity check for malloc() in glibc-2.22 plus possible NULL pointer dereference (CWE-476)
- From: "wp02855 at gmail dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Wed, 17 Feb 2016 17:58:04 +0000
- Subject: [Bug libc/19652] New: Missing sanity check for malloc() in glibc-2.22 plus possible NULL pointer dereference (CWE-476)
- Auto-submitted: auto-generated
https://sourceware.org/bugzilla/show_bug.cgi?id=19652
Bug ID: 19652
Summary: Missing sanity check for malloc() in glibc-2.22 plus
possible NULL pointer dereference (CWE-476)
Product: glibc
Version: unspecified
Status: NEW
Severity: normal
Priority: P2
Component: libc
Assignee: unassigned at sourceware dot org
Reporter: wp02855 at gmail dot com
CC: drepper.fsp at gmail dot com
Target Milestone: ---
Created attachment 8995
--> https://sourceware.org/bugzilla/attachment.cgi?id=8995&action=edit
patch file for above bug report (diff -u)
In directory 'io', file 'tst-fcntl.c', there is a call to malloc()
which is not checked for a return value of NULL, indicating failure,
but immediately after the malloc() call, mempcpy() is called, but
if the first argument is NULL, a segmentation fault/violation will
occur. The patch file below should address/correct this issue:
--- tst-fcntl.c.orig 2016-02-16 17:20:29.644379422 -0800
+++ tst-fcntl.c 2016-02-16 17:24:02.171387148 -0800
@@ -45,6 +45,11 @@
name_len = strlen (test_dir);
name = malloc (name_len + sizeof ("/fcntlXXXXXX"));
+ if (name == NULL)
+ {
+ puts ("out of memory");
+ exit (1);
+ }
mempcpy (mempcpy (name, test_dir, name_len),
"/fcntlXXXXXX", sizeof ("/fcntlXXXXXX"));
add_temp_file (name);
=======================================================================
In directory 'io', file 'test-lfs.c', there is a call to malloc()
which is not checked for a return value of NULL, indicating failure,
but immediately after the malloc() call, mempcpy() is called, but
if the first argument is NULL, a segmentation fault/violation will
occur. The patch file below should address/correct this issue:
--- test-lfs.c.orig 2016-02-16 17:28:49.131397581 -0800
+++ test-lfs.c 2016-02-16 17:29:45.831399642 -0800
@@ -54,6 +54,11 @@
name_len = strlen (test_dir);
name = malloc (name_len + sizeof ("/lfsXXXXXX"));
+ if (name == NULL)
+ {
+ puts ("out of memory");
+ exit (1);
+ }
mempcpy (mempcpy (name, test_dir, name_len),
"/lfsXXXXXX", sizeof ("/lfsXXXXXX"));
=======================================================================
In directory 'libio', file 'tst-fopenloc.c', there is a call to malloc()
which is not checked for a return value of NULL, indicating failure,
but immediately after the malloc() call, strcpy() is called, but
if the first argument is NULL, a segmentation fault/violation will
occur. The patch file below should address/correct this issue:
--- tst-fopenloc.c.orig 2016-02-16 17:47:29.137438298 -0800
+++ tst-fopenloc.c 2016-02-16 17:48:40.176440881 -0800
@@ -40,6 +40,11 @@
const size_t sz = 2 * 1024 * 1024;
char *ccs = malloc (sz);
+ if (css == NULL)
+ {
+ puts ("out of memory");
+ exit (1);
+ }
strcpy (ccs, "r,ccs=");
memset (ccs + 6, 'A', sz - 6 - 1);
ccs[sz - 1] = '\0';
=======================================================================
In directory 'libio', file 'tst-fopenloc.c', there is a call to malloc()
which is not checked for a return value of NULL, indicating failure,
but immediately after the malloc() call, memset() is called, but
if the first argument is NULL, a segmentation fault/violation will
occur. The patch file below should address/correct this issue:
--- tst-mmap2-eofsync.c.orig 2016-02-16 17:51:52.835447885 -0800
+++ tst-mmap2-eofsync.c 2016-02-16 17:52:29.957449234 -0800
@@ -21,6 +21,11 @@
do_prepare (void)
{
pages = malloc (getpagesize () * 2);
+ if (pages == NULL)
+ {
+ puts ("out of memory");
+ exit (1);
+ }
memset (pages, 'a', getpagesize ());
memset (pages + getpagesize (), 'b', getpagesize ());
=======================================================================
In directory 'libio', file 'wfileops.c', in function 'do_ftell_wide',
there is a call to malloc() which is NOT tested for a return value of
NULL, indicating failure. The patch file below should address/correct
this issue:
--- wfileops.c.orig 2016-02-16 18:19:52.270508940 -0800
+++ wfileops.c 2016-02-16 18:26:39.686523751 -0800
@@ -701,6 +701,11 @@
/* Allocate enough space for the conversion. */
size_t outsize = delta * sizeof (wchar_t);
char *out = malloc (outsize);
+ if (out == NULL)
+ {
+ __set_errno (ENOMEM);
+ return WEOF;
+ }
char *outstop = out;
const wchar_t *in = fp->_wide_data->_IO_write_base;
=======================================================================
--
You are receiving this mail because:
You are on the CC list for the bug.