__asprintf buffer resize issue

bug-glibc

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

__asprintf buffer resize issue

From:	Michael Meeks
Subject:	__asprintf buffer resize issue
Date:	Thu, 26 Jul 2001 17:38:23 -0400 (EDT)

>Submitter-Id:  net
>Originator:    Michael Meeks
>Organization:  Ximian Inc.

        One would hope this has been fixed already - if so apologies
for the spam - glibcbug may have barfed on this before - again apoligies
if this is a duplicate report.

        Regards,
  
                Michael.

Build bounded: no
Build static-nss: no
Stdio: libio

>Description:

        When printing a certain set of strings, there appears to be a
buffer overflow issue in glibc's __asprintf implementation.


>How-To-Repeat:

        Run the following - but link against electric fence:

gcc -lefence foo.c ; ./a.out

#include <stdio.h>

extern int __asprintf (char **string_ptr,
                       const char *format, ...);

int main (int argc, char **argv)
{
        const char *a = "/opt/gnome/lib/orbit/Everything_module.so";
        const char *b = "cannot open shared object file";
        const char *c = "No such file or directory";
        char *result;

        free (malloc (8));

        __asprintf (&result, "Hello %s", "World");
        fprintf (stderr, "%s\n", result);
        __asprintf (&result, "%s: %s: %s", a, b, c);
        fprintf (stderr, "%s\n", result);

        return 0;
}

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1024 (LWP 12303)]
0x400a02ad in _IO_vasprintf (result_ptr=0xbffff778, format=0x804882c
"%s: %s: %s", args=0xbffff758) at ../sysdeps/i386/i486/bits/string.h:121
121     ../sysdeps/i386/i486/bits/string.h: No such file or directory.
        in ../sysdeps/i386/i486/bits/string.h
(gdb) bt
#0  0x400a02ad in _IO_vasprintf (result_ptr=0xbffff778, format=0x804882c
"%s: %s: %s", args=0xbffff758) at ../sysdeps/i386/i486/bits/string.h:121
#1  0x400876b7 in __asprintf (string_ptr=0xbffff778, format=0x804882c
"%s: %s: %s") at asprintf.c:37
#2  0x080486e1 in main (argc=1, argv=0xbffff7fc) at /home/michael/a.c:17
#3  0x40044177 in __libc_start_main (main=0x8048660 <main>, argc=1,
ubp_av=0xbffff7fc, init=0x80484b8 <_init>, fini=0x8048750 <_fini>, 
    rtld_fini=0x4000e184 <_dl_fini>, stack_end=0xbffff7ec) at
../sysdeps/generic/libc-start.c:129


>Fix:
        No patch supplied, very suspicious of the constant '100'
lurking inside vasprintf.c (_IO_vasprintf):

  /* Initial size of the buffer to be used.  Will be doubled each time an
     overflow occurs.  */
  const _IO_size_t init_string_size = 100;

        probable buffer overrun.

-- 
 address@hidden  <><, Pseudo Engineer, itinerant idiot

[Prev in Thread]

Current Thread

[Next in Thread]

__asprintf buffer resize issue, Michael Meeks <=
- Re: __asprintf buffer resize issue, Ulrich Drepper, 2001/07/27
- Re: __asprintf buffer resize issue, Michael Meeks, 2001/07/28

Prev by Date: Enanito si, pero con que pedazo!
Next by Date: Re: __asprintf buffer resize issue
Previous by thread: Enanito si, pero con que pedazo!
Next by thread: Re: __asprintf buffer resize issue
Index(es):
- Date
- Thread