This is the mail archive of the
mailing list for the glibc project.
Re: [PATCH] vfprintf stack overflow [BZ #16617]
- From: Joseph Myers <joseph at codesourcery dot com>
- To: Florian Weimer <fweimer at redhat dot com>
- Cc: GNU C Library <libc-alpha at sourceware dot org>, Jeff Law <law at redhat dot com>
- Date: Fri, 5 Dec 2014 17:01:32 +0000
- Subject: Re: [PATCH] vfprintf stack overflow [BZ #16617]
- Authentication-results: sourceware.org; auth=none
- References: <5481E0BD dot 9000203 at redhat dot com>
On Fri, 5 Dec 2014, Florian Weimer wrote:
> This fell through the cracks. I took Jeff Law's patch (which we carry as a
> local patch in Fedora and downstream), compressed the bug23-3.c test case, and
> added Joseph's test case from the bug as bug23-4.c.
What's your view of the other possible overflows there that Paul Eggert
mentioned in <https://sourceware.org/ml/libc-alpha/2012-02/msg00102.html>?
I think nspecs * sizeof (*specs) is always OK (that's the size of an
object that's already been allocated), but 2 * nspecs_size might not be
(if it can't overflow in practice, that's an accident to do with the
size of struct printf_spec, the particular sequence of allocation sizes
and how much memory it's actually possible to allocate on existing
systems, rather than because the code is sensible to keep as-is without a
check on that multiplication).
(If you agree there's a problem but think it should be kept separate, feel
free to file a separate bug / get a separate CVE for it.)
Joseph S. Myers