[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
__asprintf buffer resize issue
From: |
Michael Meeks |
Subject: |
__asprintf buffer resize issue |
Date: |
Thu, 26 Jul 2001 17:38:23 -0400 (EDT) |
>Submitter-Id: net
>Originator: Michael Meeks
>Organization: Ximian Inc.
One would hope this has been fixed already - if so apologies
for the spam - glibcbug may have barfed on this before - again apoligies
if this is a duplicate report.
Regards,
Michael.
Build bounded: no
Build static-nss: no
Stdio: libio
>Description:
When printing a certain set of strings, there appears to be a
buffer overflow issue in glibc's __asprintf implementation.
>How-To-Repeat:
Run the following - but link against electric fence:
gcc -lefence foo.c ; ./a.out
#include <stdio.h>
extern int __asprintf (char **string_ptr,
const char *format, ...);
int main (int argc, char **argv)
{
const char *a = "/opt/gnome/lib/orbit/Everything_module.so";
const char *b = "cannot open shared object file";
const char *c = "No such file or directory";
char *result;
free (malloc (8));
__asprintf (&result, "Hello %s", "World");
fprintf (stderr, "%s\n", result);
__asprintf (&result, "%s: %s: %s", a, b, c);
fprintf (stderr, "%s\n", result);
return 0;
}
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1024 (LWP 12303)]
0x400a02ad in _IO_vasprintf (result_ptr=0xbffff778, format=0x804882c
"%s: %s: %s", args=0xbffff758) at ../sysdeps/i386/i486/bits/string.h:121
121 ../sysdeps/i386/i486/bits/string.h: No such file or directory.
in ../sysdeps/i386/i486/bits/string.h
(gdb) bt
#0 0x400a02ad in _IO_vasprintf (result_ptr=0xbffff778, format=0x804882c
"%s: %s: %s", args=0xbffff758) at ../sysdeps/i386/i486/bits/string.h:121
#1 0x400876b7 in __asprintf (string_ptr=0xbffff778, format=0x804882c
"%s: %s: %s") at asprintf.c:37
#2 0x080486e1 in main (argc=1, argv=0xbffff7fc) at /home/michael/a.c:17
#3 0x40044177 in __libc_start_main (main=0x8048660 <main>, argc=1,
ubp_av=0xbffff7fc, init=0x80484b8 <_init>, fini=0x8048750 <_fini>,
rtld_fini=0x4000e184 <_dl_fini>, stack_end=0xbffff7ec) at
../sysdeps/generic/libc-start.c:129
>Fix:
No patch supplied, very suspicious of the constant '100'
lurking inside vasprintf.c (_IO_vasprintf):
/* Initial size of the buffer to be used. Will be doubled each time an
overflow occurs. */
const _IO_size_t init_string_size = 100;
probable buffer overrun.
--
address@hidden <><, Pseudo Engineer, itinerant idiot
- __asprintf buffer resize issue,
Michael Meeks <=