[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[libunwind] src/os-linux.h: scan_dec() and scan_char() may step past nul
[libunwind] src/os-linux.h: scan_dec() and scan_char() may step past null ter minator
Tue, 8 Jun 2004 18:18:01 -0700
The string scanning routines scan_dec() and scan_char() in src/os-linux.h may
step past the null character terminating a string and access invalid data or
cause a SIGSEGV.
These routines are called from maps_next(), also in src/os-linux.h, to parse
lines from the process map, /proc/<pid>/maps. On x86_64 some map lines end at
the inum field, without a following path name. When scan_dec() reaches the end
of the inum field, it advances cp past the terminator character. Subsequently
scan_string() accesses invalid data past the terminator and ultimately reads
beyond the end of the allocated buffer. By examination it is apparent that the
scan_char() routine has a similar flaw.
scan_dec() should probably not advance cp beyond any non-digit character it
encounters. scan_char() should not advance cp past a null character.
- [libunwind] src/os-linux.h: scan_dec() and scan_char() may step past null ter minator,
Mark Young <=