| Summary: |
libbsd: heap buffer overflow in fgetwln() (CVE-2016-2090) |
| Product: |
libbsd
|
Reporter: |
Hanno Böck <hanno> |
| Component: |
libbsd | Assignee: |
Guillem Jover <guillem> |
| Status: |
RESOLVED
FIXED
|
QA Contact: |
|
| Severity: |
normal
|
|
|
| Priority: |
medium
|
CC: |
fweimer
|
| Version: |
unspecified | |
|
| Hardware: |
Other | |
|
| OS: |
All | |
|
| Whiteboard: |
|
|
i915 platform:
|
|
i915 features:
|
|
|---|
| Attachments: |
[patch] fix heap overflow
|
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.
Created attachment 121322 [details] [patch] fix heap overflow In the function fgetwln there's a 4 byte heap overflow. There is a while loop that has this check to see whether there's still enough space in the buffer: if (!fb->len || wused > fb->len) { If this is true more memory gets allocated. However this test won't be true if wused == fb->len, but at that point wused already points out of the buffer. Some lines later there's a write to the buffer: fb->wbuf[wused++] = wc; The fix is simple: Check for wused >= fb->len instead. See attached patch. This bug was found with the help of address sanitizer.