Re: buffer overflow in t_vis.c

2017-04-13 Thread J. Lewis Muir
On 04/13, Brooks Davis wrote: > diff --git a/contrib/netbsd-tests/lib/libc/gen/t_vis.c > b/contrib/netbsd-tests/lib/libc/gen/t_vis.c > index adb0930a300..9b9501d5b9c 100644 > --- a/contrib/netbsd-tests/lib/libc/gen/t_vis.c > +++ b/contrib/netbsd-tests/lib/libc/gen/t_vis.c > @@ -68,7 +68,12 @@ ATF_

Re: buffer overflow in t_vis.c

2017-04-13 Thread Brooks Davis
On Thu, Apr 13, 2017 at 07:56:39AM +0100, Iain Hibbert wrote: > On Thu, 13 Apr 2017, Brooks Davis wrote: > > > I've found a one byte buffer overflow in t_vis.c. It's caused by a > > quite reasonable confusion about an undocumented behavior of always add > > a '\0' terminating the dst string in st

out of bounds read in humanize_number()

2017-04-13 Thread Brooks Davis
I've made the following commit to FreeBSD's humanize_number which has diverged quite a lot from NetBSD's, but it looks like we've shared this bug since 2004 or so. The error occurs due to this loop: for (i = 0; bytes >= max - 50 && i < maxscale; i++) 'i' then gets used as a scale passed to SCALE