[Bug stdio/17269] New: _IO_wstr_overflow integer overflow

public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed

From: "jsm28 at gcc dot gnu.org" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug stdio/17269] New: _IO_wstr_overflow integer overflow
Date: Thu, 14 Aug 2014 16:45:00 -0000	[thread overview]
Message-ID: <bug-17269-131@http.sourceware.org/bugzilla/> (raw)

https://sourceware.org/bugzilla/show_bug.cgi?id=17269

            Bug ID: 17269
           Summary: _IO_wstr_overflow integer overflow
           Product: glibc
           Version: 2.19
            Status: NEW
          Severity: normal
          Priority: P2
         Component: stdio
          Assignee: unassigned at sourceware dot org
          Reporter: jsm28 at gcc dot gnu.org

libio/wstrops.c:_IO_wstr_overflow does:

          _IO_size_t new_size = 2 * old_wblen + 100;
          if (new_size < old_wblen)
            return EOF;
          new_buf
            = (wchar_t *) (*((_IO_strfile *) fp)->_s._allocate_buffer)
(new_size
                                                                        *
sizeof (wchar_t));

This allows for overflow in calculating the new size in wide characters, but
not for overflow in the multiplication to compute the size in bytes, which
could thus overflow and result in a buffer overrun copying data into the new
buffer.

(I don't know about the practical exploitability with a stream opened with
open_wmemstream.  At the doubling before the one resulting in the overflow
you'd have buffers of (nearly) 1/4 and 1/2 of the address space or more
allocated simultaneously, so it needs to be possible to allocate 3/4 of the
address space in those two contiguous regions in order to get to the point
where the overflow occurs.)

-- 
You are receiving this mail because:
You are on the CC list for the bug.

next             reply	other threads:[~2014-08-14 16:45 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-08-14 16:45 jsm28 at gcc dot gnu.org [this message]
2015-02-18 13:25 ` [Bug stdio/17269] " fweimer at redhat dot com
2015-02-18 14:20 ` fweimer at redhat dot com
2015-02-22  5:23 ` ppluzhnikov at google dot com
2015-02-22 20:03 ` cvs-commit at gcc dot gnu.org
2015-02-22 20:05 ` ppluzhnikov at google dot com
2015-07-21  2:34 ` vapier at gentoo dot org
2015-07-21  2:36 ` vapier at gentoo dot org
2015-07-21  2:38 ` cvs-commit at gcc dot gnu.org
2015-07-21  3:52 ` cvs-commit at gcc dot gnu.org
2015-10-19  9:51 ` cvs-commit at gcc dot gnu.org

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=bug-17269-131@http.sourceware.org/bugzilla/ \
    --to=sourceware-bugzilla@sourceware.org \
    --cc=glibc-bugs@sourceware.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).