[Bug binutils/29099] New: Buffer overflow can happen at libiberty/argv.c

[yguoaz at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=29099

            Bug ID: 29099
           Summary: Buffer overflow can happen at libiberty/argv.c
           Product: binutils
           Version: 2.38
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: yguoaz at gmail dot com
  Target Milestone: ---

In the file libiberty/argv.c, the function expandargv has the following code:
(link:
https://sourceware.org/git/?p=binutils-gdb.git;a=blob;f=libiberty/argv.c;h=10d5c3060b5bf8d70bc65e0c9084b69c890be88f;hb=HEAD#l438)

void
expandargv (int *argcp, char ***argvp)
{
    ......
    while (++i < *argcp) {
        ......
        f = fopen (++filename, "r");
        if (!f)
            continue;
        if (fseek (f, 0L, SEEK_END) == -1)
            goto error;
        pos = ftell (f);
        if (pos == -1)
            goto error;
        if (fseek (f, 0L, SEEK_SET) == -1)
            goto error;
        buffer = (char *) xmalloc (pos * sizeof (char) + 1);
        len = fread (buffer, sizeof (char), pos, f);

    }
}

Since pos = ftell (f), the variable pos is controlled by the size of the input
file. It is possible that pos = LONG_MAX and then the calculation of the buffer
size will have an signed integer overflow:
                            pos * sizeof (char) + 1

This is undefined behavior and can lead to a smaller buffer allocated, which
can
lead to subsequent buffer overflow.

-- 
You are receiving this mail because:
You are on the CC list for the bug.