| From c8f0723d2b4520bdd6b9eb7c3e7976de726d7ff7 Mon Sep 17 00:00:00 2001 |
| From: Hanno Boeck <hanno@hboeck.de> |
| Date: Wed, 27 Jan 2016 15:10:11 +0100 |
| Subject: [PATCH] Fix heap buffer overflow in fgetwln() |
| |
| In the function fgetwln() there's a 4 byte heap overflow. |
| |
| There is a while loop that has this check to see whether there's still |
| enough space in the buffer: |
| |
| if (!fb->len || wused > fb->len) { |
| |
| If this is true more memory gets allocated. However this test won't be |
| true if wused == fb->len, but at that point wused already points out |
| of the buffer. Some lines later there's a write to the buffer: |
| |
| fb->wbuf[wused++] = wc; |
| |
| This bug was found with the help of address sanitizer. |
| |
| Warned-by: ASAN |
| Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=93881 |
| Signed-off-by: Guillem Jover <guillem@hadrons.org> |
| |
| Upstream-Status: Backport |
| http://cgit.freedesktop.org/libbsd/commit/?id=c8f0723d2b4520bdd6b9eb7c3e7976de726d7ff7 |
| |
| CVE: CVE-2016-2090 |
| Signed-off-by: Armin Kuster <akuster@mvista.com> |
| |
| --- |
| src/fgetwln.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| diff --git a/src/fgetwln.c b/src/fgetwln.c |
| index 9ee0776..aa3f927 100644 |
| --- a/src/fgetwln.c |
| +++ b/src/fgetwln.c |
| @@ -60,7 +60,7 @@ fgetwln(FILE *stream, size_t *lenp) |
| fb->fp = stream; |
| |
| while ((wc = fgetwc(stream)) != WEOF) { |
| - if (!fb->len || wused > fb->len) { |
| + if (!fb->len || wused >= fb->len) { |
| wchar_t *wp; |
| |
| if (fb->len) |
| -- |
| 2.3.5 |
| |