Bug 93881 (CVE-2016-2090)

Summary: libbsd: heap buffer overflow in fgetwln() (CVE-2016-2090)
Product: libbsd Reporter: Hanno Böck <hanno>
Component: libbsdAssignee: Guillem Jover <guillem>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: medium CC: fweimer
Version: unspecified   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:
Attachments: [patch] fix heap overflow

Description Hanno Böck 2016-01-27 10:34:53 UTC
Created attachment 121322 [details]
[patch] fix heap overflow

In the function fgetwln there's a 4 byte heap overflow.

There is a while loop that has this check to see whether there's still enough space in the buffer:
		if (!fb->len || wused > fb->len) {

If this is true more memory gets allocated. However this test won't be true if wused == fb->len, but at that point wused already points out of the buffer. Some lines later there's a write to the buffer:
		fb->wbuf[wused++] = wc;

The fix is simple: Check for wused >= fb->len instead. See attached patch.

This bug was found with the help of address sanitizer.
Comment 1 Guillem Jover 2016-01-27 16:28:02 UTC
Thanks! This has been merged and released as part of 0.8.2.
Comment 2 Florian Weimer 2016-08-22 12:02:14 UTC
This has been assigned CVE-2016-2090:

  http://openwall.com/lists/oss-security/2016/01/28/5

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.