Summary: | tzfile.c heap overrun/corruption (CVE-2009-5029) | ||
---|---|---|---|
Product: | glibc | Reporter: | Paul Eggert <eggert> |
Component: | libc | Assignee: | Ulrich Drepper <drepper.fsp> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | allan, fweimer, law, polacek, rguenth, toolchain, vapier |
Priority: | P2 | Flags: | fweimer:
security+
|
Version: | 2.14 | ||
Target Milestone: | --- | ||
Host: | Target: | ||
Build: | Last reconfirmed: | ||
Attachments: |
Jeff Law work-in-progress patch
catch multiplication as well as addition overflows |
Description
Paul Eggert
2011-12-15 20:44:55 UTC
Created attachment 6114 [details]
catch multiplication as well as addition overflows
Jeff Law's work-in-progress patch misses some problematic overflows. This is
because the integer multiplications may overflow too. Attached is an
untested patch that catches the problematic overflows that I found
by inspection. This patch does not attempt to catch all overflows, only
those that might corrupt memory.
I added a patch. Note that there is a typo in that patch. The "tzspec == 0" should be "tzspec_len == 0". I sent the trivial patch to the mailing list (awaiting moderation). Also looks like s390 won't build because SIZE_MAX is not defined. Guessing stdint.h needs to be included in tzfile.c (In reply to comment #5) > Also looks like s390 won't build because SIZE_MAX is not defined. Guessing > stdint.h needs to be included in tzfile.c The correct change is to make the s390 header look like the x86-64 headers. |