| Fix CVE-2015-1472 - heap buffer overflow in wscanf |
| Backport from upstream: |
| https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=5bd80bfe9ca0d955bfbbc002781bc7b01b6bcb06 |
| See: https://bugzilla.redhat.com/show_bug.cgi?id=1188235 |
| |
| Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> |
| |
| diff --git a/stdio-common/tst-sscanf.c b/stdio-common/tst-sscanf.c |
| index aece3f2..8a2eb9e 100644 |
| --- a/stdio-common/tst-sscanf.c |
| +++ b/stdio-common/tst-sscanf.c |
| @@ -233,5 +233,38 @@ main (void) |
| } |
| } |
| |
| + /* BZ #16618 |
| + The test will segfault during SSCANF if the buffer overflow |
| + is not fixed. The size of `s` is such that it forces the use |
| + of malloc internally and this triggers the incorrect computation. |
| + Thus the value for SIZE is arbitrariy high enough that malloc |
| + is used. */ |
| + { |
| +#define SIZE 131072 |
| + CHAR *s = malloc ((SIZE + 1) * sizeof (*s)); |
| + if (s == NULL) |
| + abort (); |
| + for (size_t i = 0; i < SIZE; i++) |
| + s[i] = L('0'); |
| + s[SIZE] = L('\0'); |
| + int i = 42; |
| + /* Scan multi-digit zero into `i`. */ |
| + if (SSCANF (s, L("%d"), &i) != 1) |
| + { |
| + printf ("FAIL: bug16618: SSCANF did not read one input item.\n"); |
| + result = 1; |
| + } |
| + if (i != 0) |
| + { |
| + printf ("FAIL: bug16618: Value of `i` was not zero as expected.\n"); |
| + result = 1; |
| + } |
| + free (s); |
| + if (result != 1) |
| + printf ("PASS: bug16618: Did not crash.\n"); |
| +#undef SIZE |
| + } |
| + |
| + |
| return result; |
| } |
| diff --git a/stdio-common/vfscanf.c b/stdio-common/vfscanf.c |
| index cd129a8..0e204e7 100644 |
| --- a/stdio-common/vfscanf.c |
| +++ b/stdio-common/vfscanf.c |
| @@ -272,9 +272,10 @@ _IO_vfscanf_internal (_IO_FILE *s, const char *format, _IO_va_list argptr, |
| if (__glibc_unlikely (wpsize == wpmax)) \ |
| { \ |
| CHAR_T *old = wp; \ |
| - size_t newsize = (UCHAR_MAX + 1 > 2 * wpmax \ |
| - ? UCHAR_MAX + 1 : 2 * wpmax); \ |
| - if (use_malloc || !__libc_use_alloca (newsize)) \ |
| + bool fits = __glibc_likely (wpmax <= SIZE_MAX / sizeof (CHAR_T) / 2); \ |
| + size_t wpneed = MAX (UCHAR_MAX + 1, 2 * wpmax); \ |
| + size_t newsize = fits ? wpneed * sizeof (CHAR_T) : SIZE_MAX; \ |
| + if (!__libc_use_alloca (newsize)) \ |
| { \ |
| wp = realloc (use_malloc ? wp : NULL, newsize); \ |
| if (wp == NULL) \ |
| @@ -286,14 +287,13 @@ _IO_vfscanf_internal (_IO_FILE *s, const char *format, _IO_va_list argptr, |
| } \ |
| if (! use_malloc) \ |
| MEMCPY (wp, old, wpsize); \ |
| - wpmax = newsize; \ |
| + wpmax = wpneed; \ |
| use_malloc = true; \ |
| } \ |
| else \ |
| { \ |
| size_t s = wpmax * sizeof (CHAR_T); \ |
| - wp = (CHAR_T *) extend_alloca (wp, s, \ |
| - newsize * sizeof (CHAR_T)); \ |
| + wp = (CHAR_T *) extend_alloca (wp, s, newsize); \ |
| wpmax = s / sizeof (CHAR_T); \ |
| if (old != NULL) \ |
| MEMCPY (wp, old, wpsize); \ |
| -- |
| 1.9.4 |
| |