[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/29099] New: Buffer overflow can happen at libiberty/argv.c
From: |
yguoaz at gmail dot com |
Subject: |
[Bug binutils/29099] New: Buffer overflow can happen at libiberty/argv.c |
Date: |
Thu, 28 Apr 2022 01:56:59 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=29099
Bug ID: 29099
Summary: Buffer overflow can happen at libiberty/argv.c
Product: binutils
Version: 2.38
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: yguoaz at gmail dot com
Target Milestone: ---
In the file libiberty/argv.c, the function expandargv has the following code:
(link:
https://sourceware.org/git/?p=binutils-gdb.git;a=blob;f=libiberty/argv.c;h=10d5c3060b5bf8d70bc65e0c9084b69c890be88f;hb=HEAD#l438)
void
expandargv (int *argcp, char ***argvp)
{
......
while (++i < *argcp) {
......
f = fopen (++filename, "r");
if (!f)
continue;
if (fseek (f, 0L, SEEK_END) == -1)
goto error;
pos = ftell (f);
if (pos == -1)
goto error;
if (fseek (f, 0L, SEEK_SET) == -1)
goto error;
buffer = (char *) xmalloc (pos * sizeof (char) + 1);
len = fread (buffer, sizeof (char), pos, f);
}
}
Since pos = ftell (f), the variable pos is controlled by the size of the input
file. It is possible that pos = LONG_MAX and then the calculation of the buffer
size will have an signed integer overflow:
pos * sizeof (char) + 1
This is undefined behavior and can lead to a smaller buffer allocated, which
can
lead to subsequent buffer overflow.
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/29099] New: Buffer overflow can happen at libiberty/argv.c,
yguoaz at gmail dot com <=
- [Bug binutils/29099] Buffer overflow can happen at libiberty/argv.c, yguoaz at gmail dot com, 2022/04/27
- [Bug binutils/29099] Buffer overflow can happen at libiberty/argv.c, address@hidden, 2022/04/28
- [Bug binutils/29099] Buffer overflow can happen at libiberty/argv.c, yguoaz at gmail dot com, 2022/04/28
- [Bug binutils/29099] Buffer overflow can happen at libiberty/argv.c, amodra at gmail dot com, 2022/04/28
- [Bug binutils/29099] Buffer overflow can happen at libiberty/argv.c, nickc at redhat dot com, 2022/04/28