This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: [patch] Fix for heap overflow in wscanf (BZ 16618)

From: Paul Eggert <eggert at cs dot ucla dot edu>
To: Paul Pluzhnikov <ppluzhnikov at google dot com>, Andreas Schwab <schwab at suse dot de>
Cc: Rich Felker <dalias at libc dot org>, libc-alpha at sourceware dot org
Date: Mon, 02 Feb 2015 11:23:29 -0800
Subject: Re: [patch] Fix for heap overflow in wscanf (BZ 16618)
Authentication-results: sourceware.org; auth=none
References: <CALoOobPgvuBLTk4GzOchr792MHNi1yLgsO5Jqf8MPvY+bk544Q at mail dot gmail dot com> <20150202050906 dot GF23507 at brightrain dot aerifal dot cx> <CALoOobP5yEqB-oKUvPVJm0znonYJ_iM1q_uFBNT2sRojBguJ-A at mail dot gmail dot com> <mvmiofkiqaj dot fsf at hawking dot suse dot de> <CALoOobPyDepfTFp=_y50iKHxAhKV8W+ZkUiV6e-2O=kgpT_08g at mail dot gmail dot com>

On 02/02/2015 08:57 AM, Paul Pluzhnikov wrote:

+	  if (__glibc_unlikely (wpmax > SIZE_MAX / 2)			    \
+	      || __glibc_unlikely (newsize > SIZE_MAX / sizeof (CHAR_T)))   \

"if (__glibc_unlikely (wpmax > SIZE_MAX / sizeof (CHAR_T) / 2)" isshorter and faster. Also, the proposed patch duplicates the use_malloc/ free / done code, which is messy. And there's an existing use of'use_malloc' which makes sense only if the code ignores overflow, whichit no longer does.

So, how about the attached (untested) patch to vfscanf.c instead? It'ssimpler. It does rely on realloc (wp, SIZE_MAX) returning NULL, butthat's safe in glibc.

diff --git a/stdio-common/vfscanf.c b/stdio-common/vfscanf.c
index cd129a8..0e204e7 100644
--- a/stdio-common/vfscanf.c
+++ b/stdio-common/vfscanf.c
@@ -272,9 +272,10 @@ _IO_vfscanf_internal (_IO_FILE *s, const char *format, _IO_va_list argptr,
       if (__glibc_unlikely (wpsize == wpmax))				      \
 	{								    \
 	  CHAR_T *old = wp;						    \
-	  size_t newsize = (UCHAR_MAX + 1 > 2 * wpmax			    \
-			    ? UCHAR_MAX + 1 : 2 * wpmax);		    \
-	  if (use_malloc || !__libc_use_alloca (newsize))		    \
+	  bool fits = __glibc_likely (wpmax <= SIZE_MAX / sizeof (CHAR_T) / 2); \
+	  size_t wpneed = MAX (UCHAR_MAX + 1, 2 * wpmax);		    \
+	  size_t newsize = fits ? wpneed * sizeof (CHAR_T) : SIZE_MAX;	    \
+	  if (!__libc_use_alloca (newsize))				    \
 	    {								    \
 	      wp = realloc (use_malloc ? wp : NULL, newsize);		    \
 	      if (wp == NULL)						    \
@@ -286,14 +287,13 @@ _IO_vfscanf_internal (_IO_FILE *s, const char *format, _IO_va_list argptr,
 		}							    \
 	      if (! use_malloc)						    \
 		MEMCPY (wp, old, wpsize);				    \
-	      wpmax = newsize;						    \
+	      wpmax = wpneed;						    \
 	      use_malloc = true;					    \
 	    }								    \
 	  else								    \
 	    {								    \
 	      size_t s = wpmax * sizeof (CHAR_T);			    \
-	      wp = (CHAR_T *) extend_alloca (wp, s,			    \
-					     newsize * sizeof (CHAR_T));    \
+	      wp = (CHAR_T *) extend_alloca (wp, s, newsize);		    \
 	      wpmax = s / sizeof (CHAR_T);				    \
 	      if (old != NULL)						    \
 		MEMCPY (wp, old, wpsize);				    \

Follow-Ups:
- Re: [patch] Fix for heap overflow in wscanf (BZ 16618)
  - From: Paul Pluzhnikov

References:
- [patch] Fix for heap overflow in wscanf (BZ 16618)
  - From: Paul Pluzhnikov
- Re: [patch] Fix for heap overflow in wscanf (BZ 16618)
  - From: Rich Felker
- Re: [patch] Fix for heap overflow in wscanf (BZ 16618)
  - From: Paul Pluzhnikov
- Re: [patch] Fix for heap overflow in wscanf (BZ 16618)
  - From: Andreas Schwab
- Re: [patch] Fix for heap overflow in wscanf (BZ 16618)
  - From: Paul Pluzhnikov

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]