[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Chicken-users] [SECURITY] Unchecked malloc size in "external" SRFI-4 ve

From: Peter Bex
Subject: [Chicken-users] [SECURITY] Unchecked malloc size in "external" SRFI-4 vector constructors
Date: Wed, 15 Mar 2017 20:44:59 +0100
User-agent: Mutt/1.5.23 (2014-03-12)

Hi all,

Our user "Lemonboy" has found a vulnerability in CHICKEN's SRFI-4
constructors, when using a nonstandard extension; the "NONGC" argument
to make-[su]{8,16,32}vector.  This argument will allocate a uniform
bytevector in unmanaged memory (not subject to garbage collection),
by using malloc().

The range of the size argument would not be checked, which means a
negative size could end up being passed to malloc(), resulting in a
segfault and potential buffer overruns.

Constructor calls to allocate SRFI-4 vectors in managed memory are not

This issue has been fixed in master by commit e792fd8cc, which can be
found here in patch form:;a=commitdiff;h=68c4e537a29d3f878016e0144c42d0e7ae5d41b4

A simple workaround would be to always check the range of the input to
be between 0 and 2^30 for 8-bit vectors, 2^29 for 16-bit vectors or 2^28
for 32-bit vectors before passing it on to the constructor.

Many thanks to Lemonboy for finding this issue and proposing an initial


Attachment: signature.asc
Description: Digital signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]