[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
pr buffer overflow
From: |
Cristian Cadar |
Subject: |
pr buffer overflow |
Date: |
Thu, 17 Apr 2008 17:57:15 -0700 |
Hi Jim, we found a buffer overflow in pr, due to the invalid
processing of backspaces and tabs.
Here is a simple input that our tool generated:
pr --e pr-bug.txt
Another input, that crashes in glibc on my machine is:
pr -e pr-bug-crash.txt
Both pr-bug.txt and pr-bug-crash.txt are attached.
One case that triggers the bug is when the input file contains a
series of backspaces followed by a TAB. Function char_to_clump() allows
input_position to become negative, decrementing it for every backspace.
Then, when a TAB is processed, the macro TAB_WIDTH returns a number
larger than the default size of the clump_buff buffer, and the loop at
pr.c:2669-2670 writes invalid memory. The overflow seems to be bounded
(for the default tab size, width cannot exceed 15), but this seems to be
enough to crash glibc on my machine. I found the bug quite interesting.
I think it was due to the incorrect assumption that
0 <= h % c < c.
602: #define TAB_WIDTH(c_, h_) ((c_) - ((h_) % (c_)))
...
2665: width = TAB_WIDTH (chars_per_c, input_position);
2666:
2667: if (untabify_input)
2668: {
2669: for (i = width; i; --i)
2670: *s++ = ' ';
2671: chars = width;
2672: }
Cristian
pr-bug.txt
Description: Text document
pr-bug-crash.txt
Description: Text document
- pr buffer overflow,
Cristian Cadar <=