1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
|
From e91600a7aae3bafbefbe13abf771e61badd16286 Mon Sep 17 00:00:00 2001
From: Changqing Li <changqing.li@windriver.com>
Date: Tue, 16 Oct 2018 14:26:11 +0800
Subject: [PATCH] vasnprintf: Fix heap memory overrun bug.
Reported by Ben Pfaff <blp@cs.stanford.edu> in
<https://lists.gnu.org/archive/html/bug-gnulib/2018-09/msg00107.html>.
* lib/vasnprintf.c (convert_to_decimal): Allocate one more byte of
memory.
* tests/test-vasnprintf.c (test_function): Add another test.
Upstream-Status: Backport [http://git.savannah.gnu.org/gitweb/?p=gnulib.git;
a=commitdiff;h=278b4175c9d7dd47c1a3071554aac02add3b3c35]
CVE: CVE-2018-17942
Signed-off-by: Changqing Li <changqing.li@windriver.com>
---
ChangeLog | 8 ++++++++
lib/vasnprintf.c | 4 +++-
tests/test-vasnprintf.c | 19 ++++++++++++++++++-
3 files changed, 29 insertions(+), 2 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 9864353..5ff76a3 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2018-09-23 Bruno Haible <bruno@clisp.org>
+ vasnprintf: Fix heap memory overrun bug.
+ Reported by Ben Pfaff <blp@cs.stanford.edu> in
+ <https://lists.gnu.org/archive/html/bug-gnulib/2018-09/msg00107.html>.
+ * lib/vasnprintf.c (convert_to_decimal): Allocate one more byte of
+ memory.
+ * tests/test-vasnprintf.c (test_function): Add another test.
+
2017-08-21 Paul Eggert <eggert@cs.ucla.edu>
vc-list-files: port to Solaris 10
diff --git a/lib/vasnprintf.c b/lib/vasnprintf.c
index 2e4eb19..45de49f 100644
--- a/lib/vasnprintf.c
+++ b/lib/vasnprintf.c
@@ -860,7 +860,9 @@ convert_to_decimal (mpn_t a, size_t extra_zeroes)
size_t a_len = a.nlimbs;
/* 0.03345 is slightly larger than log(2)/(9*log(10)). */
size_t c_len = 9 * ((size_t)(a_len * (GMP_LIMB_BITS * 0.03345f)) + 1);
- char *c_ptr = (char *) malloc (xsum (c_len, extra_zeroes));
+ /* We need extra_zeroes bytes for zeroes, followed by c_len bytes for the
+ digits of a, followed by 1 byte for the terminating NUL. */
+ char *c_ptr = (char *) malloc (xsum (xsum (extra_zeroes, c_len), 1));
if (c_ptr != NULL)
{
char *d_ptr = c_ptr;
diff --git a/tests/test-vasnprintf.c b/tests/test-vasnprintf.c
index 2dd869f..ff68d5c 100644
--- a/tests/test-vasnprintf.c
+++ b/tests/test-vasnprintf.c
@@ -53,7 +53,24 @@ test_function (char * (*my_asnprintf) (char *, size_t *, const char *, ...))
ASSERT (result != NULL);
ASSERT (strcmp (result, "12345") == 0);
ASSERT (length == 5);
- if (size < 6)
+ if (size < 5 + 1)
+ ASSERT (result != buf);
+ ASSERT (memcmp (buf + size, &"DEADBEEF"[size], 8 - size) == 0);
+ if (result != buf)
+ free (result);
+ }
+ /* Note: This test assumes IEEE 754 representation of 'double' floats. */
+ for (size = 0; size <= 8; size++)
+ {
+ size_t length;
+ char *result;
+ memcpy (buf, "DEADBEEF", 8);
+ length = size;
+ result = my_asnprintf (buf, &length, "%2.0f", 1.6314159265358979e+125);
+ ASSERT (result != NULL);
+ ASSERT (strcmp (result, "163141592653589790215729350939528493057529598899734151772468186268423257777068536614838678161083520756952076273094236944990208") == 0);
+ ASSERT (length == 126);
+ if (size < 126 + 1)
ASSERT (result != buf);
ASSERT (memcmp (buf + size, &"DEADBEEF"[size], 8 - size) == 0);
if (result != buf)
--
2.7.4
|
