| An upsteam patch from |
| https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5bd80bfe9ca0d955bfbbc002781bc7b01b6bcb06 |
| author Paul Pluzhnikov <ppluzhnikov@google.com> |
| Thu, 5 Feb 2015 22:30:42 -0700 (00:30 -0500) |
| committer Carlos O'Donell <carlos@systemhalted.org> |
| Thu, 5 Feb 2015 22:34:51 -0700 (00:34 -0500) |
| commit 5bd80bfe9ca0d955bfbbc002781bc7b01b6bcb06 |
| |
| CVE-2015-1472: wscanf allocates too little memory |
| |
| BZ #16618 |
| |
| Under certain conditions wscanf can allocate too little memory for the |
| to-be-scanned arguments and overflow the allocated buffer. The |
| implementation now correctly computes the required buffer size when |
| using malloc. |
| |
| A regression test was added to tst-sscanf. |
| |
| diff --git a/stdio-common/tst-sscanf.c b/stdio-common/tst-sscanf.c |
| index aece3f2..8a2eb9e 100644 (file) |
| --- a/stdio-common/tst-sscanf.c |
| +++ b/stdio-common/tst-sscanf.c |
| @@ -233,5 +233,38 @@ main (void) |
| } |
| } |
| |
| + /* BZ #16618 |
| + The test will segfault during SSCANF if the buffer overflow |
| + is not fixed. The size of `s` is such that it forces the use |
| + of malloc internally and this triggers the incorrect computation. |
| + Thus the value for SIZE is arbitrariy high enough that malloc |
| + is used. */ |
| + { |
| +#define SIZE 131072 |
| + CHAR *s = malloc ((SIZE + 1) * sizeof (*s)); |
| + if (s == NULL) |
| + abort (); |
| + for (size_t i = 0; i < SIZE; i++) |
| + s[i] = L('0'); |
| + s[SIZE] = L('\0'); |
| + int i = 42; |
| + /* Scan multi-digit zero into `i`. */ |
| + if (SSCANF (s, L("%d"), &i) != 1) |
| + { |
| + printf ("FAIL: bug16618: SSCANF did not read one input item.\n"); |
| + result = 1; |
| + } |
| + if (i != 0) |
| + { |
| + printf ("FAIL: bug16618: Value of `i` was not zero as expected.\n"); |
| + result = 1; |
| + } |
| + free (s); |
| + if (result != 1) |
| + printf ("PASS: bug16618: Did not crash.\n"); |
| +#undef SIZE |
| + } |
| + |
| + |
| return result; |
| } |
| diff --git a/stdio-common/vfscanf.c b/stdio-common/vfscanf.c |
| index cd129a8..0e204e7 100644 (file) |
| --- a/stdio-common/vfscanf.c |
| +++ b/stdio-common/vfscanf.c |
| @@ -272,9 +272,10 @@ _IO_vfscanf_internal (_IO_FILE *s, const char *format, _IO_va_list argptr, |
| if (__builtin_expect (wpsize == wpmax, 0)) \ |
| { \ |
| CHAR_T *old = wp; \ |
| - size_t newsize = (UCHAR_MAX + 1 > 2 * wpmax \ |
| - ? UCHAR_MAX + 1 : 2 * wpmax); \ |
| - if (use_malloc || !__libc_use_alloca (newsize)) \ |
| + bool fits = __glibc_likely (wpmax <= SIZE_MAX / sizeof (CHAR_T) / 2); \ |
| + size_t wpneed = MAX (UCHAR_MAX + 1, 2 * wpmax); \ |
| + size_t newsize = fits ? wpneed * sizeof (CHAR_T) : SIZE_MAX; \ |
| + if (!__libc_use_alloca (newsize)) \ |
| { \ |
| wp = realloc (use_malloc ? wp : NULL, newsize); \ |
| if (wp == NULL) \ |
| @@ -286,14 +287,13 @@ _IO_vfscanf_internal (_IO_FILE *s, const char *format, _IO_va_list argptr, |
| } \ |
| if (! use_malloc) \ |
| MEMCPY (wp, old, wpsize); \ |
| - wpmax = newsize; \ |
| + wpmax = wpneed; \ |
| use_malloc = true; \ |
| } \ |
| else \ |
| { \ |
| size_t s = wpmax * sizeof (CHAR_T); \ |
| - wp = (CHAR_T *) extend_alloca (wp, s, \ |
| - newsize * sizeof (CHAR_T)); \ |
| + wp = (CHAR_T *) extend_alloca (wp, s, newsize); \ |
| wpmax = s / sizeof (CHAR_T); \ |
| if (old != NULL) \ |
| MEMCPY (wp, old, wpsize); \ |
| |
