[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug #61043] potential integer overflow vulnerability in src/preproc/grn
From: |
INVALID.NOREPLY |
Subject: |
[bug #61043] potential integer overflow vulnerability in src/preproc/grn/hdb.cpp |
Date: |
Sun, 15 Aug 2021 02:03:10 -0400 (EDT) |
User-agent: |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36 Edg/92.0.902.62 |
URL:
<https://savannah.gnu.org/bugs/?61043>
Summary: potential integer overflow vulnerability in
src/preproc/grn/hdb.cpp
Project: GNU troff
Submitted by: eqkws
Submitted on: Sun 15 Aug 2021 06:03:08 AM UTC
Category: None
Severity: 3 - Normal
Item Group: None
Status: None
Privacy: Private
Assigned to: None
Open/Closed: Open
Discussion Lock: Any
Planned Release: None
_______________________________________________________
Details:
Hi, I found some integer overflow bug in the source code of groff.
In src/preproc/grn/hdb.cpp:189,
189 (void) fscanf(file, "%d", &len); /* text length */
190 (void) getc(file); /* eat blank */
191 txt = (char *) malloc((unsigned) len + 1);
The program reads the value of len from an input file and calls malloc with
len + 1.
If a maliciously crafted input that sets len to -1 is given, it will cause an
integer overflow, and allocation with 0 leads to buggy behavior like denial of
service.
Thank you.
_______________________________________________________
Reply to this item at:
<https://savannah.gnu.org/bugs/?61043>
_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/
- [bug #61043] potential integer overflow vulnerability in src/preproc/grn/hdb.cpp,
INVALID.NOREPLY <=