Bug 25729 - Invalid Pointer Arithmetic in g_path_get_basename
Summary: Invalid Pointer Arithmetic in g_path_get_basename
Status: RESOLVED MOVED
Alias: None
Product: glibc
Classification: Unclassified
Component: libc (show other bugs)
Version: unspecified
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-03-26 13:12 UTC by Fabien Lheureux
Modified: 2020-03-26 14:32 UTC (History)
2 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:
fw: security-

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Fabien Lheureux 2020-03-26 13:12:41 UTC 
## Analysis Context

*The verification was performed with TrustInSoft Analyzer, a formal
static analyzer for C and C++.*

*The result is part of a larger security assessment performed by
TrustInSoft for* ***Naval Group***.

This issue was found during the analysis of wireshark, and the analysis of wireshark was performed in the following environment:

----------------- ----------------------------------------------
Platform          Ubuntu Linux 18.04
Tool              TrustInSoft Analyzer, a formal static analyzer
Input Files       Fuzzing of 10 000 pcap file using AFL
Verification      Analysis of `process_cap_file` with the AFL corpus
------------- ----------------------------------------------

------------ ------------------- ---------------------- ----------------
Wireshark    version v2.6.16rc0  git commit dcd65a4012  https://github.com/wireshark/wireshark.git
glib         version 2.62.6      git commit eb0f73a39   https://github.com/GNOME/glib.git
libgcrypt    version 1.8.5       git commit ada758e3    https://github.com/gpg/libgcrypt.git
libgpg-error version 1.37        git commit 85b5006     https://github.com/gpg/libgpg-error.git
libpcap      version 1.9.1       git commit 1547215c    https://github.com/the-tcpdump-group/libpcap.git
pcre         version 8.43-RC1    git commit 10e4adb     https://github.com/svn2github/pcre.git
pcre2        version 10.10       git commit a677f5b     https://github.com/luvit/pcre2.git
zlib         version 10.10       git commit a677f5b     https://github.com/madler/zlib.git
------------ ------------------- ---------------------- ----------------

- valgrind is deactivated in glib
- PCRE library is deactivated in glib
- `cap_files_hashes` is deactivated in wireshark

## Invalid Pointer Arithmetic in *g_path_get_basename*

In the function `g_path_get_basename`, the expression `file_name +
base + 1` may computes an invalid pointer when `base` is equal to `-1`
and the evaluation of the expression is performed as `(file_name +
base) + 1`.

File: glib/glib/gfileutils.c

```c
memcpy (retval, file_name + base + 1, len);
```

With the following patch, no invalid pointer is computed.


```c
memcpy (retval, file_name + (base + 1), len);
```
Comment 1 Florian Weimer 2020-03-26 13:36:32 UTC 
Please report this against glib: https://gitlab.gnome.org/GNOME/glib/issues/new
Comment 2 Fabien Lheureux 2020-03-26 14:32:43 UTC 
OK, I have reported it here https://gitlab.gnome.org/GNOME/glib/-/issues/2077