URL:
<http://savannah.gnu.org/bugs/?47531>
Summary: One byte heap buffer overflow in x-lua.c (triggered
by make check)
Project: GNU gettext
Submitted by: hanno
Submitted on: Fri 25 Mar 2016 02:02:44 PM CET
Category: None
Severity: 3 - Normal
Item Group: None
Status: None
Privacy: Public
Assigned to: None
Open/Closed: Open
Discussion Lock: Any
_______________________________________________________
Details:
There is a one byte heap buffer overflow in x-lua.c. This is the code:
static void
string_end ()
{
string_buf[string_buf_length] = '\0';
}
The problem is that when string_buf_length is larger than string_buf it will
still write. In the function above (string_add) there is a check for that and
a call to xrealloc in that case. See attached patch for a similar change to
string_end (I realloc only one additional byte because I assume after
string_end no more memory is needed).
This was found by running the test suite (make check) with address sanitizer
enabled. I'll attach the address sanitizer error message as well.
_______________________________________________________
File Attachments:
-------------------------------------------------------
Date: Fri 25 Mar 2016 02:02:44 PM CET Name: gettext-fix-bufferoverflow.diff
Size: 436B By: hanno
<http://savannah.gnu.org/bugs/download.php?file_id=36761>
-------------------------------------------------------
Date: Fri 25 Mar 2016 02:02:44 PM CET Name: gettext-lua-overflow-asan.txt
Size: 4kB By: hanno
<http://savannah.gnu.org/bugs/download.php?file_id=36762>
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/bugs/?47531>
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
