From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <glibc-bugs-return-25978-listarch-glibc-bugs=sources.redhat.com@sourceware.org>
Received: (qmail 23128 invoked by alias); 14 Aug 2014 16:45:16 -0000
Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <glibc-bugs.sourceware.org>
List-Subscribe: <mailto:glibc-bugs-subscribe@sourceware.org>
List-Post: <mailto:glibc-bugs@sourceware.org>
List-Help: <mailto:glibc-bugs-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: glibc-bugs-owner@sourceware.org
Received: (qmail 22609 invoked by uid 48); 14 Aug 2014 16:45:10 -0000
From: "jsm28 at gcc dot gnu.org" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug stdio/17269] New: _IO_wstr_overflow integer overflow
Date: Thu, 14 Aug 2014 16:45:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: stdio
X-Bugzilla-Version: 2.19
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: jsm28 at gcc dot gnu.org
X-Bugzilla-Status: NEW
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags:
X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter
Message-ID: <bug-17269-131@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2014-08/txt/msg00061.txt.bz2

https://sourceware.org/bugzilla/show_bug.cgi?id=17269

            Bug ID: 17269
           Summary: _IO_wstr_overflow integer overflow
           Product: glibc
           Version: 2.19
            Status: NEW
          Severity: normal
          Priority: P2
         Component: stdio
          Assignee: unassigned at sourceware dot org
          Reporter: jsm28 at gcc dot gnu.org

libio/wstrops.c:_IO_wstr_overflow does:

          _IO_size_t new_size = 2 * old_wblen + 100;
          if (new_size < old_wblen)
            return EOF;
          new_buf
            = (wchar_t *) (*((_IO_strfile *) fp)->_s._allocate_buffer)
(new_size
                                                                        *
sizeof (wchar_t));

This allows for overflow in calculating the new size in wide characters, but
not for overflow in the multiplication to compute the size in bytes, which
could thus overflow and result in a buffer overrun copying data into the new
buffer.

(I don't know about the practical exploitability with a stream opened with
open_wmemstream.  At the doubling before the one resulting in the overflow
you'd have buffers of (nearly) 1/4 and 1/2 of the address space or more
allocated simultaneously, so it needs to be possible to allocate 3/4 of the
address space in those two contiguous regions in order to get to the point
where the overflow occurs.)

-- 
You are receiving this mail because:
You are on the CC list for the bug.