From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 30197 invoked by alias); 23 Sep 2013 06:00:31 -0000 Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Post: List-Help: , Sender: glibc-bugs-owner@sourceware.org Received: (qmail 30127 invoked by uid 48); 23 Sep 2013 06:00:29 -0000 From: "siddhesh at redhat dot com" To: glibc-bugs@sourceware.org Subject: [Bug libc/14547] strcoll integer / buffer overflow Date: Mon, 23 Sep 2013 06:00:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: libc X-Bugzilla-Version: 2.16 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: siddhesh at redhat dot com X-Bugzilla-Status: RESOLVED X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_status cc resolution Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-SW-Source: 2013-09/txt/msg00163.txt.bz2 https://sourceware.org/bugzilla/show_bug.cgi?id=14547 Siddhesh Poyarekar changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED CC| |siddhesh at redhat dot com Resolution|--- |FIXED --- Comment #7 from Siddhesh Poyarekar --- Fixed in master: commit 303e567a8062200dc06acde7c76fc34679f08d8f Author: Siddhesh Poyarekar Date: Mon Sep 23 11:24:30 2013 +0530 Check for integer overflow in cache size computation in strcoll strcoll is implemented using a cache for indices and weights of collation sequences in the strings so that subsequent passes do not have to search through collation data again. For very large string inputs, the cache size computation could overflow. In such a case, use the fallback function that does not cache indices and weights of collation sequences. Fixes CVE-2012-4412. commit 141f3a77fe4f1b59b0afa9bf6909cd2000448883 Author: Siddhesh Poyarekar Date: Mon Sep 23 11:20:02 2013 +0530 Fall back to non-cached sequence traversal and comparison on malloc fail strcoll currently falls back to alloca if malloc fails, resulting in a possible stack overflow. This patch implements sequence traversal and comparison without caching indices and rules. Fixes CVE-2012-4424. -- You are receiving this mail because: You are on the CC list for the bug.