bug-gnulib
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: write past end of buffer in vasnprintf() implementation of %f

From: Bruno Haible
Subject: Re: write past end of buffer in vasnprintf() implementation of %f
Date: Sun, 23 Sep 2018 14:25:50 +0200
User-agent: KMail/5.1.3 (Linux/4.4.0-134-generic; KDE/5.18.0; x86_64; ; ) 
Hi Ben,

> When I apply the following patch to gnulib:
> 
> ----------------------------------------------------------------------
> diff --git a/tests/test-vasnprintf.c b/tests/test-vasnprintf.c
> index 19731bc93378..105ac24c94a3 100644
> --- a/tests/test-vasnprintf.c
> +++ b/tests/test-vasnprintf.c
> @@ -59,6 +59,11 @@ test_function (char * (*my_asnprintf) (char *, size_t *, 
> const char *, ...))
>        if (result != buf)
>          free (result);
>      }
> +
> +  size_t length = 8;
> +  char *result = my_asnprintf (buf, &length, "%2.0f", 
> 0x1.e38417c792296p+893);
> +  if (result != buf)
> +    free (result);
>  }
>  
>  static char *
> ----------------------------------------------------------------------
> 
> and then run:
> 
> CC='gcc -fsanitize=address -g -O0' ./gnulib-tool --test vasnprintf 
> vasnprintf-posix
> 
> I get the following failure from test-vasnprintf:
> 
> ----------------------------------------------------------------------
> ==17880==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf4b03ece 
> at pc 0xf770f8ed bp 0xffac9638 sp 0xffac962c
> WRITE of size 1 at 0xf4b03ece thread T0
>     #0 0xf770f8ec in convert_to_decimal ../../gllib/vasnprintf.c:899
>     #1 0xf770f8ec in scale10_round_decimal_decoded 
> ../../gllib/vasnprintf.c:1292
>     #2 0xf771057c in scale10_round_decimal_double 
> ../../gllib/vasnprintf.c:1328
>     #3 0xf771755c in vasnprintf ../../gllib/vasnprintf.c:4119

An excellent bug report! Thank you.

> The line in convert_to_decimal() cited above is the assignment here:
> 
>       /* Terminate the string.  */
>       *d_ptr = '\0';
> 
> I guess that the space calculation passed to malloc() at the top of the
> same function is not precise.  I don't know whether the right thing to
> do is to just add one.

Indeed, the right thing is to add just 1.

> This bug was originally reported against GNU PSPP:
>         https://savannah.gnu.org/bugs/?func=detailitem&item_id=54686
> 
> For this report, I've simplified it to remove the PSPP dependency (and
> to make sure it isn't somehow a PSPP bug).

I found a smaller test case: 1.6314159265358979e+125 instead of
1.24726002000241678234e+269, and added that to the test suite.
For the record, the issue occurs for all numbers in the ranges
  10^125 <= arg < 2^416
  10^134 <= arg < 2^448
  10^260 <= arg < 2^864
  10^269 <= arg < 2^896
  ...


2018-09-23  Bruno Haible  <address@hidden>

        vasnprintf: Fix heap memory overrun bug.
        Reported by Ben Pfaff <address@hidden> in
        <https://lists.gnu.org/archive/html/bug-gnulib/2018-09/msg00107.html>.
        * lib/vasnprintf.c (convert_to_decimal): Allocate one more byte of
        memory.
        * tests/test-vasnprintf.c (test_function): Add another test.

diff --git a/lib/vasnprintf.c b/lib/vasnprintf.c
index 56ffbe3..30d021b 100644
--- a/lib/vasnprintf.c
+++ b/lib/vasnprintf.c
@@ -860,7 +860,9 @@ convert_to_decimal (mpn_t a, size_t extra_zeroes)
   size_t a_len = a.nlimbs;
   /* 0.03345 is slightly larger than log(2)/(9*log(10)).  */
   size_t c_len = 9 * ((size_t)(a_len * (GMP_LIMB_BITS * 0.03345f)) + 1);
-  char *c_ptr = (char *) malloc (xsum (c_len, extra_zeroes));
+  /* We need extra_zeroes bytes for zeroes, followed by c_len bytes for the
+     digits of a, followed by 1 byte for the terminating NUL.  */
+  char *c_ptr = (char *) malloc (xsum (xsum (extra_zeroes, c_len), 1));
   if (c_ptr != NULL)
     {
       char *d_ptr = c_ptr;
diff --git a/tests/test-vasnprintf.c b/tests/test-vasnprintf.c
index 19731bc..93d81d7 100644
--- a/tests/test-vasnprintf.c
+++ b/tests/test-vasnprintf.c
@@ -53,7 +53,26 @@ test_function (char * (*my_asnprintf) (char *, size_t *, 
const char *, ...))
       ASSERT (result != NULL);
       ASSERT (strcmp (result, "12345") == 0);
       ASSERT (length == 5);
-      if (size < 6)
+      if (size < 5 + 1)
+        ASSERT (result != buf);
+      ASSERT (memcmp (buf + size, &"DEADBEEF"[size], 8 - size) == 0);
+      if (result != buf)
+        free (result);
+    }
+
+  /* Note: This test assumes IEEE 754 representation of 'double' floats.  */
+  for (size = 0; size <= 8; size++)
+    {
+      size_t length;
+      char *result;
+
+      memcpy (buf, "DEADBEEF", 8);
+      length = size;
+      result = my_asnprintf (buf, &length, "%2.0f", 1.6314159265358979e+125);
+      ASSERT (result != NULL);
+      ASSERT (strcmp (result, 
"163141592653589790215729350939528493057529598899734151772468186268423257777068536614838678161083520756952076273094236944990208")
 == 0);
+      ASSERT (length == 126);
+      if (size < 126 + 1)
         ASSERT (result != buf);
       ASSERT (memcmp (buf + size, &"DEADBEEF"[size], 8 - size) == 0);
       if (result != buf)
reply via email to
[Prev in Thread] Current Thread [Next in Thread]