From: Dongkyun Son <dongkyun.s@samsung.com>
Date: Wed, 26 May 2021 08:18:14 +0000 (+0900)
Subject: [CVE-2018-17942] vasnprintf: Fix heap memory overrun bug.
X-Git-Tag: accepted/tizen/6.5/base/20230714.002428^0
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=refs%2Fheads%2Ftizen_7.0_base_hotfix;p=platform%2Fupstream%2Fbison.git

[CVE-2018-17942] vasnprintf: Fix heap memory overrun bug.

Reported by Ben Pfaff <blp@cs.stanford.edu> in
<https://lists.gnu.org/archive/html/bug-gnulib/2018-09/msg00107.html>.

* lib/vasnprintf.c (convert_to_decimal): Allocate one more byte of
memory.
* tests/test-vasnprintf.c (test_function): Add another test.

Change-Id: I9375c9f006d83bff07820a8c1fba251435a14faa
Signed-off-by: Dongkyun Son <dongkyun.s@samsung.com>
---

diff --git a/lib/vasnprintf.c b/lib/vasnprintf.c
index 3b441d0..48ef7a6 100644
--- a/lib/vasnprintf.c
+++ b/lib/vasnprintf.c
@@ -860,7 +860,9 @@ convert_to_decimal (mpn_t a, size_t extra_zeroes)
   size_t a_len = a.nlimbs;
   /* 0.03345 is slightly larger than log(2)/(9*log(10)).  */
   size_t c_len = 9 * ((size_t)(a_len * (GMP_LIMB_BITS * 0.03345f)) + 1);
-  char *c_ptr = (char *) malloc (xsum (c_len, extra_zeroes));
+  /* We need extra_zeroes bytes for zeroes, followed by c_len bytes for the
+     digits of a, followed by 1 byte for the terminating NUL.  */
+  char *c_ptr = (char *) malloc (xsum (xsum (extra_zeroes, c_len), 1));
   if (c_ptr != NULL)
     {
       char *d_ptr = c_ptr;