This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug stdio/16618] New: wscanf allocates too little memory
- From: "jsm28 at gcc dot gnu.org" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Fri, 21 Feb 2014 01:10:26 +0000
- Subject: [Bug stdio/16618] New: wscanf allocates too little memory
- Auto-submitted: auto-generated
https://sourceware.org/bugzilla/show_bug.cgi?id=16618
Bug ID: 16618
Summary: wscanf allocates too little memory
Product: glibc
Version: 2.19
Status: NEW
Severity: normal
Priority: P2
Component: stdio
Assignee: unassigned at sourceware dot org
Reporter: jsm28 at gcc dot gnu.org
stdio-common/vfscanf.c has an ADDW macro that tries to determine whether to use
malloc or alloca for allocations. But in the malloc case, it only allocates
newsize bytes instead of the required newsize * sizeof (CHAR_T). Thus the
allocated buffer gets overrun in the wide-string case, as shown by the
following testcase:
#include <stdlib.h>
#include <wchar.h>
#define SIZE 131072
int
main (void)
{
wchar_t *s = malloc ((SIZE + 1) * sizeof (*s));
if (s == NULL)
abort ();
for (size_t i = 0; i < SIZE; i++)
s[i] = L'0';
s[SIZE] = L'\0';
int i;
if (swscanf (s, L"%d", &i) != 1)
abort ();
if (i != 0)
abort ();
free (s);
return 0;
}
I expect this should be considered a security issue and get a CVE allocated.
The logic also has a problem that the comparison UCHAR_MAX + 1 > 2 * wpmax
doesn't allow for 2 * wpmax overflowing, though that would only apply if half
the address space gets allocated. The check with __libc_use_alloca also checks
against the number of array entries to allocate rather than the number of
bytes, so the function can allocate up to four times as many bytes as is libc
policy on the stack in the wide character case.
--
You are receiving this mail because:
You are on the CC list for the bug.