[bug-gettext] [bug #47531] One byte heap buffer overflow in x-lua.c (tri

bug-gettext

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug-gettext] [bug #47531] One byte heap buffer overflow in x-lua.c (tri

From:	Hanno Boeck
Subject:	[bug-gettext] [bug #47531] One byte heap buffer overflow in x-lua.c (triggered by make check)
Date:	Fri, 25 Mar 2016 13:02:45 +0000
User-agent:	Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36

URL:
  <http://savannah.gnu.org/bugs/?47531>

                 Summary: One byte heap buffer overflow in x-lua.c (triggered
by make check)
                 Project: GNU gettext
            Submitted by: hanno
            Submitted on: Fri 25 Mar 2016 02:02:44 PM CET
                Category: None
                Severity: 3 - Normal
              Item Group: None
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any

    _______________________________________________________

Details:

There is a one byte heap buffer overflow in x-lua.c. This is the code:

static void
string_end ()
{
  string_buf[string_buf_length] = '\0';
}


The problem is that when string_buf_length is larger than string_buf it will
still write. In the function above (string_add) there is a check for that and
a call to xrealloc in that case. See attached patch for a similar change to
string_end (I realloc only one additional byte because I assume after
string_end no more memory is needed).

This was found by running the test suite (make check) with address sanitizer
enabled. I'll attach the address sanitizer error message as well.



    _______________________________________________________

File Attachments:


-------------------------------------------------------
Date: Fri 25 Mar 2016 02:02:44 PM CET  Name: gettext-fix-bufferoverflow.diff 
Size: 436B   By: hanno

<http://savannah.gnu.org/bugs/download.php?file_id=36761>
-------------------------------------------------------
Date: Fri 25 Mar 2016 02:02:44 PM CET  Name: gettext-lua-overflow-asan.txt 
Size: 4kB   By: hanno

<http://savannah.gnu.org/bugs/download.php?file_id=36762>

    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/bugs/?47531>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/

[Prev in Thread]

Current Thread

[Next in Thread]

[bug-gettext] [bug #47531] One byte heap buffer overflow in x-lua.c (triggered by make check), Hanno Boeck <=
- [bug-gettext] [bug #47531] One byte heap buffer overflow in x-lua.c (triggered by make check), Daiki Ueno, 2016/03/25

Prev by Date: Re: [bug-gettext] "msgfmt -c" bug
Next by Date: [bug-gettext] [bug #47531] One byte heap buffer overflow in x-lua.c (triggered by make check)
Previous by thread: [bug-gettext] "msgfmt -c" bug
Next by thread: [bug-gettext] [bug #47531] One byte heap buffer overflow in x-lua.c (triggered by make check)
Index(es):
- Date
- Thread