This is the mail archive of the mailing list for the glibc project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: [PATCH] vfprintf stack overflow [BZ #16617]

On Fri, 5 Dec 2014, Florian Weimer wrote:

> This fell through the cracks.  I took Jeff Law's patch (which we carry as a
> local patch in Fedora and downstream), compressed the bug23-3.c test case, and
> added Joseph's test case from the bug as bug23-4.c.

What's your view of the other possible overflows there that Paul Eggert 
mentioned in <>?  
I think nspecs * sizeof (*specs) is always OK (that's the size of an 
object that's already been allocated), but 2 * nspecs_size might not be 
(if it can't overflow in practice, that's an accident to do with the 
size of struct printf_spec, the particular sequence of allocation sizes 
and how much memory it's actually possible to allocate on existing 
systems, rather than because the code is sensible to keep as-is without a 
check on that multiplication).

(If you agree there's a problem but think it should be kept separate, feel 
free to file a separate bug / get a separate CVE for it.)

Joseph S. Myers

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]