bug-wget
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

wget 1.19.4 has a buffer overflow vulnerability when formating total dow

From: JunDong Xie
Subject: wget 1.19.4 has a buffer overflow vulnerability when formating total download time
Date: Tue, 10 Dec 2019 15:28:50 +0800 
This bug is in progress.c, create_image function. 
```
else
    {
      /* When the download is done, print the elapsed time.  */
      int nbytes;
      int ncols;

      /* Note to translators: this should not take up more room than
         available here (6 columns).  Abbreviate if necessary.  */
      strcpy (p, _("    in "));
      nbytes = strlen (p);
      ncols  = count_cols (p); //(1) ncols is 9 in my environment
      bytes_cols_diff = nbytes - ncols;
      if (dl_total_time >= 10)
        ncols += sprintf (p + nbytes, "%s",  eta_to_human_short ((int) 
(dl_total_time + 0.5), false)); //(2) eta_to_human_short may return a string 
like '17m 20s' which length is 7. ncols is 0x10 now. 
      else
        ncols += sprintf (p + nbytes, "%ss", print_decimal (dl_total_time));
      p += ncols + bytes_cols_diff;
      memset (p, ' ', PROGRESS_ETA_LEN - ncols); // (3) PROGRESS_ETA_LEN is 15. 
so the third parameter of memset becomes -1, which cause a buffer overflow in 
heap.
      p += PROGRESS_ETA_LEN - ncols;
    }
```
when the download is done, wget needs to print the elapsed time. In (1), ncols 
is assigned 9. In (2), the longest length of string returned by 
eta_to_human_short is 7, which causes ncols becomes 0x10. In (3), 
PROGRESS_ETA_LEN - ncols is less than zero and there is no check here. memset’s 
third parameter is an unsigned integer, so it is an integer underflow, which 
causes out-of-bounds write in heap. 

Below is my wget version.
```
 wget --version           dddong@dddong-vm-ubuntu-18
GNU Wget 1.19.4 在 linux-gnu 上编译。

-cares +digest -gpgme +https +ipv6 +iri +large-file -metalink +nls
+ntlm +opie +psl +ssl/openssl

Wgetrc:
    /etc/wgetrc (系统)
locale:
    /usr/share/locale
compile:
    gcc -DHAVE_CONFIG_H -DSYSTEM_WGETRC="/etc/wgetrc"
    -DLOCALEDIR="/usr/share/locale" -I. -I../../src -I../lib
    -I../../lib -Wdate-time -D_FORTIFY_SOURCE=2 -DHAVE_LIBSSL -DNDEBUG
    -g -O2 -fdebug-prefix-map=/build/wget-Xb5Z7Y/wget-1.19.4=.
    -fstack-protector-strong -Wformat -Werror=format-security
    -DNO_SSLv2 -D_FILE_OFFSET_BITS=64 -g -Wall
link:
    gcc -DHAVE_LIBSSL -DNDEBUG -g -O2
    -fdebug-prefix-map=/build/wget-Xb5Z7Y/wget-1.19.4=.
    -fstack-protector-strong -Wformat -Werror=format-security
    -DNO_SSLv2 -D_FILE_OFFSET_BITS=64 -g -Wall -Wl,-Bsymbolic-functions
    -Wl,-z,relro -Wl,-z,now -lpcre -luuid -lidn2 -lssl -lcrypto -lpsl
    ftp-opie.o openssl.o http-ntlm.o ../lib/libgnu.a

```

It is quite annoying me when download large files which often causes wget to 
crash. Hope for your reply!
reply via email to
[Prev in Thread] Current Thread [Next in Thread]