Sources Bugzilla – Bug 13656
vfprintf nargs integer overflow
Last modified: 2012-03-09 08:36:47 UTC
The nargs value can overflow when doing allocations, and argument-based offsets are not bounds-checked, allowing arbitrary memory writes via format strings, bypassing _FORTIFY_SOURCE protections:
Patch in progress:
Fixed in git head, this should be backported to all active branches.
FYI, a comment form Laszlo Ersek in Red Hat BZ:
The easiest fix would have been to restrict "nargs" to NL_ARGMAX.
Tomas, could you or Laszlo bring this up on libc-alpha, please?
(In reply to comment #3)
> Tomas, could you or Laszlo bring this up on libc-alpha, please?
This was posted in:
Replies indicate it is preferred to limit nargs by available memory rather than using an arbitrary limit, i.e. what Kees' patch was doing already.
Related commit links for posterity:
so I am marking this bug as fixed.