[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[patch #10096] potential buffer overflow in resource.c
From: |
INVALID.NOREPLY |
Subject: |
[patch #10096] potential buffer overflow in resource.c |
Date: |
Tue, 17 Aug 2021 22:41:53 -0400 (EDT) |
User-agent: |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.73 |
URL:
<https://savannah.gnu.org/patch/?10096>
Summary: potential buffer overflow in resource.c
Project: GNU gv
Submitted by: eqkws
Submitted on: Wed 18 Aug 2021 02:41:52 AM UTC
Category: None
Priority: 5 - Normal
Status: None
Privacy: Public
Assigned to: None
Originator Email:
Open/Closed: Open
Discussion Lock: Any
_______________________________________________________
Details:
In src/resource.c, there are multiple potential buffer overflow
vulnerabilities.
At line 202, the program gets the value of 'locale' from an environment
variable.
------------------------------
202 locale = getenv("LC_ALL");
203 if ( !locale || !*locale )
204 locale = getenv("LC_MESSAGES");
205 if ( !locale || !*locale )
206 locale = getenv("LANG");
207 if ( !locale || !*locale )
208 locale = "C";
------------------------------
>From 211 to 228, the string in 'locale' is stored to 'loc_lang'.
After that, sprintf calls use 'loc_lang' with no length check.
Since the size of 'locale1', 'local2' and 'locale3' are all fixed to 100
if a malicious attacker puts a large string to the environment variable, it
may cause stack buffer overflow that leads to buggy behavior.
------------------------------
210 {
211 char* cL, * cP;
212
213 cP = loc_lang;
214 cL = locale;
215
216 *loc_terr = 0;
217 *loc_cs = 0;
218 *loc_mod = 0;
219
220 while (*cL)
221 {
222 if ( *cL == '_' ) { *cP = 0; cP = loc_terr; }
223 if ( *cL == '.' ) { *cP = 0; cP = loc_cs; }
224 if ( *cL == '@' ) { *cP = 0; cP = loc_mod; }
225 *cP++ = *cL++;
226 }
227 *cP = 0;
228 }
229
230 s = resource_getResource(db,app_class,app_name, "international",0);
231 if (s == NULL || !strcasecmp(s, "False"))
232 {
233 sprintf(locale1, "noint:%s%s", loc_lang, loc_terr);
234 sprintf(locale2, "noint:%s", loc_lang);
235 strcpy(locale3, "C");
236 }
237 else
238 {
239 strcpy(locale1, locale);
240 sprintf(locale2, "%s%s%s", loc_lang, loc_terr, loc_cs);
241 sprintf(locale3, "%s%s", loc_lang, loc_cs);
242 }
------------------------------
_______________________________________________________
Reply to this item at:
<https://savannah.gnu.org/patch/?10096>
_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/
- [patch #10096] potential buffer overflow in resource.c,
INVALID.NOREPLY <=