URL:
<https://savannah.gnu.org/bugs/?61043>
Summary: potential integer overflow vulnerability in
src/preproc/grn/hdb.cpp
Project: GNU troff
Submitted by: eqkws
Submitted on: Sun 15 Aug 2021 06:03:08 AM UTC
Category: None
Severity: 3 - Normal
Item Group: None
Status: None
Privacy: Private
Assigned to: None
Open/Closed: Open
Discussion Lock: Any
Planned Release: None
_______________________________________________________
Details:
Hi, I found some integer overflow bug in the source code of groff.
In src/preproc/grn/hdb.cpp:189,
189 (void) fscanf(file, "%d", &len); /* text length */
190 (void) getc(file); /* eat blank */
191 txt = (char *) malloc((unsigned) len + 1);
The program reads the value of len from an input file and calls malloc with
len + 1.
If a maliciously crafted input that sets len to -1 is given, it will cause an
integer overflow, and allocation with 0 leads to buggy behavior like denial of
service.
Thank you.
_______________________________________________________
Reply to this item at:
<https://savannah.gnu.org/bugs/?61043>
_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/
