Bug 93881 (CVE-2016-2090) - libbsd: heap buffer overflow in fgetwln() (CVE-2016-2090)
Summary: libbsd: heap buffer overflow in fgetwln() (CVE-2016-2090)
Status: RESOLVED FIXED
Alias: CVE-2016-2090
Product: libbsd
Classification: Unclassified
Component: libbsd (show other bugs)
Version: unspecified
Hardware: Other All
: medium normal
Assignee: Guillem Jover
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-01-27 10:34 UTC by Hanno Böck
Modified: 2016-08-22 12:02 UTC (History)
1 user (show)

See Also:
i915 platform:
i915 features:

Attachments
[patch] fix heap overflow (306 bytes, text/plain)
2016-01-27 10:34 UTC, Hanno Böck 		Details
View All

Description Hanno Böck 2016-01-27 10:34:53 UTC 
Created attachment 121322 [details]
[patch] fix heap overflow

In the function fgetwln there's a 4 byte heap overflow.

There is a while loop that has this check to see whether there's still enough space in the buffer:
		if (!fb->len || wused > fb->len) {

If this is true more memory gets allocated. However this test won't be true if wused == fb->len, but at that point wused already points out of the buffer. Some lines later there's a write to the buffer:
		fb->wbuf[wused++] = wc;

The fix is simple: Check for wused >= fb->len instead. See attached patch.

This bug was found with the help of address sanitizer.
Comment 1 Guillem Jover 2016-01-27 16:28:02 UTC 
Thanks! This has been merged and released as part of 0.8.2.
Comment 2 Florian Weimer 2016-08-22 12:02:14 UTC 
This has been assigned CVE-2016-2090:

  http://openwall.com/lists/oss-security/2016/01/28/5

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.