[Chicken-announce] [SECURITY] Unchecked malloc size in "external" SRFI-4 vector constructors

[Peter Bex]

Hi all,

Our user "Lemonboy" has found a vulnerability in CHICKEN's SRFI-4
constructors, when using a nonstandard extension; the "NONGC" argument
to make-[su]{8,16,32}vector.  This argument will allocate a uniform
bytevector in unmanaged memory (not subject to garbage collection),
by using malloc().

The range of the size argument would not be checked, which means a
negative size could end up being passed to malloc(), resulting in a
segfault and potential buffer overruns.

Constructor calls to allocate SRFI-4 vectors in managed memory are not
affected.

This issue has been fixed in master by commit e792fd8cc, which can be
found here in patch form:
https://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=commitdiff;h=68c4e537a29d3f878016e0144c42d0e7ae5d41b4

A simple workaround would be to always check the range of the input to
be between 0 and 2^30 for 8-bit vectors, 2^29 for 16-bit vectors or 2^28
for 32-bit vectors before passing it on to the constructor.

Many thanks to Lemonboy for finding this issue and proposing an initial
patch.

Regards,
The CHICKEN Team

signature.asc
Description: Digital signature