This is the mail archive of the
mailing list for the glibc project.
[Bug libc/756] missing arithmetic overflow check
- From: "simon at josefsson dot org" <sourceware-bugzilla at sources dot redhat dot com>
- To: glibc-bugs at sources dot redhat dot com
- Date: 23 Feb 2005 23:28:32 -0000
- Subject: [Bug libc/756] missing arithmetic overflow check
- References: <email@example.com>
- Reply-to: sourceware-bugzilla at sources dot redhat dot com
------- Additional Comments From simon at josefsson dot org 2005-02-23 23:28 -------
No, I think the problem is if:
size_t outbuf_size = (inbytes_remaining + 1) * MB_LEN_MAX;
results in 0, due to some overflow in the * operation. I.e., let's say strlen
(p) is SIZE_MAX / MB_LEN_MAX - 1. Then outbuf_size would be 0, and then
size_t outbytes_remaining = outbuf_size - 1; /* -1 for NUL */
outbytes_remaining would be SIZE_MAX, which leads to a buffer overrun because
iconv will think the buffer is SIZE_MAX large, but the allocated size is only 0.
I could be mistaken though, I find the issues slightly subtle at times.
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.