This is the mail archive of the mailing list for the glibc project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: [patch] Fix for heap overflow in wscanf (BZ 16618)

On 02/06/2015 04:29 PM, Carlos O'Donell wrote:
> On 02/06/2015 10:19 AM, Paul Pluzhnikov wrote:
>> On Fri, Feb 6, 2015 at 6:45 AM, Carlos O'Donell <> wrote:
>>> On 02/06/2015 08:45 AM, Florian Weimer wrote:
>>>> I think this fixes as CVE-2015-1473 as well,
>> Correct.
> Could you expand a bit on this comment? Did you test that it fixes the issue?
> Did you review that it's actually the same bug?
> I trust your review, but "Correct." is not sufficiently verbose for me and
> I want to make sure we're all in agreement.

The old code had this:

     size_t newsize = (UCHAR_MAX + 1 > 2 * wpmax                       \
                       ? UCHAR_MAX + 1 : 2 * wpmax);                   \
     if (use_malloc || !__libc_use_alloca (newsize))                   \
         wp = (CHAR_T *) extend_alloca (wp, s,                         \
                                        newsize * sizeof (CHAR_T));    \

Which is to say, the alloca policy check was against newsize, but the
actual allocation used newsize * sizeof (CHAR_T).

The new version computes newsize in bytes and uses it consistently,
addressing this discrepancy.

Florian Weimer / Red Hat Product Security

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]