[CVE-2018-17942] vasnprintf: Fix heap memory overrun bug. 28/258828/1 accepted/tizen_6.5_base accepted/tizen_6.5_base_tool accepted/tizen_7.0_base accepted/tizen_7.0_base_hotfix accepted/tizen_7.0_base_tool accepted/tizen_7.0_base_tool_hotfix accepted/tizen_8.0_base accepted/tizen_9.0_base accepted/tizen_base accepted/tizen_base_riscv accepted/tizen_base_tool tizen_6.5_base tizen_7.0_base tizen_7.0_base_hotfix tizen_8.0_base tizen_9.0_base tizen_base accepted/tizen/6.5/base/20230714.002428 accepted/tizen/6.5/base/tool/20211027.112430 accepted/tizen/7.0/base/20230714.002838 accepted/tizen/7.0/base/hotfix/20230714.003654 accepted/tizen/7.0/base/tool/20221028.112928 accepted/tizen/7.0/base/tool/hotfix/20221115.084721 accepted/tizen/8.0/base/20231005.044609 accepted/tizen/9.0/base/20241030.075840 accepted/tizen/base/20230714.003244 accepted/tizen/base/riscv/20231124.082756 accepted/tizen/base/tool/20210531.013808 submit/tizen_6.5_base/20211026.180901 submit/tizen_6.5_base/20211027.183101 submit/tizen_6.5_base/20211027.200501 submit/tizen_7.0_base/20221028.200901 submit/tizen_7.0_base_hotfix/20221115.161501 submit/tizen_base/20210528.005548 tizen_6.5.m2_release tizen_7.0_m2_release tizen_8.0_m2_release tizen_9.0_m2_release
authorDongkyun Son <dongkyun.s@samsung.com>
Wed, 26 May 2021 08:18:14 +0000 (17:18 +0900)
committerDongkyun Son <dongkyun.s@samsung.com>
Wed, 26 May 2021 08:19:53 +0000 (17:19 +0900)
Reported by Ben Pfaff <blp@cs.stanford.edu> in
<https://lists.gnu.org/archive/html/bug-gnulib/2018-09/msg00107.html>.

* lib/vasnprintf.c (convert_to_decimal): Allocate one more byte of
memory.
* tests/test-vasnprintf.c (test_function): Add another test.

Change-Id: I9375c9f006d83bff07820a8c1fba251435a14faa
Signed-off-by: Dongkyun Son <dongkyun.s@samsung.com>
lib/vasnprintf.c

index 3b441d0..48ef7a6 100644 (file)
@@ -860,7 +860,9 @@ convert_to_decimal (mpn_t a, size_t extra_zeroes)
   size_t a_len = a.nlimbs;
   /* 0.03345 is slightly larger than log(2)/(9*log(10)).  */
   size_t c_len = 9 * ((size_t)(a_len * (GMP_LIMB_BITS * 0.03345f)) + 1);
-  char *c_ptr = (char *) malloc (xsum (c_len, extra_zeroes));
+  /* We need extra_zeroes bytes for zeroes, followed by c_len bytes for the
+     digits of a, followed by 1 byte for the terminating NUL.  */
+  char *c_ptr = (char *) malloc (xsum (xsum (extra_zeroes, c_len), 1));
   if (c_ptr != NULL)
     {
       char *d_ptr = c_ptr;