[Bug binutils/14919] New: Unsafe returned value of NULL pointer in function _nl_normalize_codeset at file intl/l10nflist.c

[yangyeping_666 at hotmail dot com]

http://sourceware.org/bugzilla/show_bug.cgi?id=14919

             Bug #: 14919
           Summary: Unsafe returned value of NULL pointer in function
                    _nl_normalize_codeset at file intl/l10nflist.c
           Product: binutils
           Version: 2.23
            Status: NEW
          Severity: normal
          Priority: P2
         Component: binutils
        AssignedTo: address@hidden
        ReportedBy: address@hidden
    Classification: Unclassified


Sorry,I can't find a suitable component for this bug, and I select binutils.
1)The file path containing this vulnerability: intl/l10nflist.c
2)Line number: 433
3)Code fragment (from line 415 to line 433):

 retval = (char *) malloc ((only_digit ? 3 : 0) + len + 1); 

  if (retval != NULL)
    {   
      if (only_digit)
        wp = stpcpy (retval, "iso");
      else
        wp = retval;

      for (cnt = 0; cnt < name_len; ++cnt)
        if (isalpha ((unsigned char) codeset[cnt]))
          *wp++ = tolower ((unsigned char) codeset[cnt]);
        else if (isdigit ((unsigned char) codeset[cnt]))
          *wp++ = codeset[cnt];

      *wp = '\0';
    }   

  return (const char *) retval;

4) Short description: The variable "retval" is assigned at line 415 via
function
"malloc". Although it is  sanity-checked, this function can still return a NULL
pointer if retval is NULL.The "_nl_normalize_codeset" function is called at
line 
115 "*normali zed_codeset = _nl_normalize_codeset (*codeset,cp - *codeset);" in
file intl/explodename.c. If variable normalized_codeset is null, then the
following strcmp function will have a NULL pointer argument and a NULL pointer
dereference vulnerability occur

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.