* Buffer overflow in emutls code
@ 2010-12-14 17:42 Linas Vepstas
0 siblings, 0 replies; only message in thread
From: Linas Vepstas @ 2010-12-14 17:42 UTC (permalink / raw)
To: gcc
I know that almost no one uses emutls, but I was fiddling with
it recently, and found a buffer overflow; the emutls_destroy()
function moves past the end of an array. Patch attached.
The correctness of the fix may not be immediately obvious, but
a careful study of emutls_alloc() will show that there is some
off-by-one tomfoolery, coded in on purpose (personally, I think
its poor/bad coding style). The corresponding tomfoolery
wasn't done in the matching free code, leading to this bug.
---
gcc/emutls.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
Index: gcc-4.4/gcc/emutls.c
===================================================================
--- gcc-4.4.orig/gcc/emutls.c 2010-12-13 16:53:48.000000000 -0600
+++ gcc-4.4/gcc/emutls.c 2010-12-13 17:12:27.000000000 -0600
@@ -76,7 +76,11 @@ emutls_destroy (void *ptr)
pointer size = arr->size;
pointer i;
- for (i = 0; i < size; ++i)
+ /* arr->size is the total size of area that 'arr' is pointing to.
+ * The size of 'arr->data' is one less than that.
+ * Properly, its (&arr->data[0]-arr)/sizeof(void *) = 1 less.
+ */
+ for (i = 0; i < size-1; ++i)
{
if (arr->data[i])
free (arr->data[i][-1]);
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2010-12-14 17:42 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2010-12-14 17:42 Buffer overflow in emutls code Linas Vepstas
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).