| Brad Bishop | 1a4b7ee | 2018-12-16 17:11:34 -0800 | [diff] [blame^] | 1 | From e91600a7aae3bafbefbe13abf771e61badd16286 Mon Sep 17 00:00:00 2001 |
| 2 | From: Changqing Li <changqing.li@windriver.com> |
| 3 | Date: Tue, 16 Oct 2018 14:26:11 +0800 |
| 4 | Subject: [PATCH] vasnprintf: Fix heap memory overrun bug. |
| 5 | |
| 6 | Reported by Ben Pfaff <blp@cs.stanford.edu> in |
| 7 | <https://lists.gnu.org/archive/html/bug-gnulib/2018-09/msg00107.html>. |
| 8 | |
| 9 | * lib/vasnprintf.c (convert_to_decimal): Allocate one more byte of |
| 10 | memory. |
| 11 | * tests/test-vasnprintf.c (test_function): Add another test. |
| 12 | |
| 13 | Upstream-Status: Backport [http://git.savannah.gnu.org/gitweb/?p=gnulib.git; |
| 14 | a=commitdiff;h=278b4175c9d7dd47c1a3071554aac02add3b3c35] |
| 15 | |
| 16 | CVE: CVE-2018-17942 |
| 17 | |
| 18 | Signed-off-by: Changqing Li <changqing.li@windriver.com> |
| 19 | --- |
| 20 | ChangeLog | 8 ++++++++ |
| 21 | lib/vasnprintf.c | 4 +++- |
| 22 | tests/test-vasnprintf.c | 19 ++++++++++++++++++- |
| 23 | 3 files changed, 29 insertions(+), 2 deletions(-) |
| 24 | |
| 25 | diff --git a/ChangeLog b/ChangeLog |
| 26 | index 9864353..5ff76a3 100644 |
| 27 | --- a/ChangeLog |
| 28 | +++ b/ChangeLog |
| 29 | @@ -1,3 +1,11 @@ |
| 30 | +2018-09-23 Bruno Haible <bruno@clisp.org> |
| 31 | + vasnprintf: Fix heap memory overrun bug. |
| 32 | + Reported by Ben Pfaff <blp@cs.stanford.edu> in |
| 33 | + <https://lists.gnu.org/archive/html/bug-gnulib/2018-09/msg00107.html>. |
| 34 | + * lib/vasnprintf.c (convert_to_decimal): Allocate one more byte of |
| 35 | + memory. |
| 36 | + * tests/test-vasnprintf.c (test_function): Add another test. |
| 37 | + |
| 38 | 2017-08-21 Paul Eggert <eggert@cs.ucla.edu> |
| 39 | |
| 40 | vc-list-files: port to Solaris 10 |
| 41 | diff --git a/lib/vasnprintf.c b/lib/vasnprintf.c |
| 42 | index 2e4eb19..45de49f 100644 |
| 43 | --- a/lib/vasnprintf.c |
| 44 | +++ b/lib/vasnprintf.c |
| 45 | @@ -860,7 +860,9 @@ convert_to_decimal (mpn_t a, size_t extra_zeroes) |
| 46 | size_t a_len = a.nlimbs; |
| 47 | /* 0.03345 is slightly larger than log(2)/(9*log(10)). */ |
| 48 | size_t c_len = 9 * ((size_t)(a_len * (GMP_LIMB_BITS * 0.03345f)) + 1); |
| 49 | - char *c_ptr = (char *) malloc (xsum (c_len, extra_zeroes)); |
| 50 | + /* We need extra_zeroes bytes for zeroes, followed by c_len bytes for the |
| 51 | + digits of a, followed by 1 byte for the terminating NUL. */ |
| 52 | + char *c_ptr = (char *) malloc (xsum (xsum (extra_zeroes, c_len), 1)); |
| 53 | if (c_ptr != NULL) |
| 54 | { |
| 55 | char *d_ptr = c_ptr; |
| 56 | diff --git a/tests/test-vasnprintf.c b/tests/test-vasnprintf.c |
| 57 | index 2dd869f..ff68d5c 100644 |
| 58 | --- a/tests/test-vasnprintf.c |
| 59 | +++ b/tests/test-vasnprintf.c |
| 60 | @@ -53,7 +53,24 @@ test_function (char * (*my_asnprintf) (char *, size_t *, const char *, ...)) |
| 61 | ASSERT (result != NULL); |
| 62 | ASSERT (strcmp (result, "12345") == 0); |
| 63 | ASSERT (length == 5); |
| 64 | - if (size < 6) |
| 65 | + if (size < 5 + 1) |
| 66 | + ASSERT (result != buf); |
| 67 | + ASSERT (memcmp (buf + size, &"DEADBEEF"[size], 8 - size) == 0); |
| 68 | + if (result != buf) |
| 69 | + free (result); |
| 70 | + } |
| 71 | + /* Note: This test assumes IEEE 754 representation of 'double' floats. */ |
| 72 | + for (size = 0; size <= 8; size++) |
| 73 | + { |
| 74 | + size_t length; |
| 75 | + char *result; |
| 76 | + memcpy (buf, "DEADBEEF", 8); |
| 77 | + length = size; |
| 78 | + result = my_asnprintf (buf, &length, "%2.0f", 1.6314159265358979e+125); |
| 79 | + ASSERT (result != NULL); |
| 80 | + ASSERT (strcmp (result, "163141592653589790215729350939528493057529598899734151772468186268423257777068536614838678161083520756952076273094236944990208") == 0); |
| 81 | + ASSERT (length == 126); |
| 82 | + if (size < 126 + 1) |
| 83 | ASSERT (result != buf); |
| 84 | ASSERT (memcmp (buf + size, &"DEADBEEF"[size], 8 - size) == 0); |
| 85 | if (result != buf) |
| 86 | -- |
| 87 | 2.7.4 |
| 88 | |