This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.
Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
---|---|---|
Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |
Other format: | [Raw text] |
On 04 Oct 2014 13:31, Vladimir A. Nazarenko wrote: > --- a/misc/mntent_r.c > +++ b/misc/mntent_r.c > @@ -135,7 +135,11 @@ __getmntent_r (FILE *stream, struct mntent *mp, char *buffer, int bufsiz) > > end_ptr = strchr (buffer, '\n'); > if (end_ptr != NULL) /* chop newline */ > - *end_ptr = '\0'; > + { > + while (end_ptr[-1] == ' ' || end_ptr[-1] == '\t') > + end_ptr--; > + *end_ptr = '\0'; > + } this randomly corrupts memory when you get a blank line which is pretty common i think in /etc/fstab. buffer = "\n" which means end_ptr will be buffer which means end_ptr[-1] is random stack memory. if it happens to be 0x20 or 0x09, you corrupt a single byte. happens whenever the line is just whitespace as you walk back to the start of the buffer allocation. the way the malloc heaps are laid out, it doesn't seem to be noticed for most arches, but it's easily reproducible on ppc32. https://sourceware.org/bugzilla/show_bug.cgi?id=18887 -mike
Attachment:
signature.asc
Description: Digital signature
Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
---|---|---|
Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |