[patch #10096] potential buffer overflow in resource.c

Tue, 17 Aug 2021 19:42:10 -0700 

URL:
  <https://savannah.gnu.org/patch/?10096>

                 Summary: potential buffer overflow in resource.c
                 Project: GNU gv
            Submitted by: eqkws
            Submitted on: Wed 18 Aug 2021 02:41:52 AM UTC
                Category: None
                Priority: 5 - Normal
                  Status: None
                 Privacy: Public
             Assigned to: None
        Originator Email: 
             Open/Closed: Open
         Discussion Lock: Any

    _______________________________________________________

Details:

In src/resource.c, there are multiple potential buffer overflow
vulnerabilities.


At line 202, the program gets the value of 'locale' from an environment
variable.

------------------------------
202 locale = getenv("LC_ALL");
203 if ( !locale || !*locale )
204   locale = getenv("LC_MESSAGES");
205 if ( !locale || !*locale )
206   locale = getenv("LANG");
207 if ( !locale || !*locale )
208   locale = "C";
------------------------------


>From 211 to 228, the string in 'locale' is stored to 'loc_lang'.
After that, sprintf calls use 'loc_lang' with no length check.
Since the size of 'locale1', 'local2' and 'locale3' are all fixed to 100
if a malicious attacker puts a large string to the environment variable, it
may cause stack buffer overflow that leads to buggy behavior.

------------------------------
210 {
211   char* cL, * cP;
212 
213   cP = loc_lang;
214   cL = locale;
215   
216   *loc_terr = 0;
217   *loc_cs = 0;
218   *loc_mod = 0;
219      
220   while (*cL)
221   {
222     if ( *cL == '_' ) { *cP = 0; cP = loc_terr; }
223     if ( *cL == '.' ) { *cP = 0; cP = loc_cs; }
224     if ( *cL == '@' ) { *cP = 0; cP = loc_mod; }
225       *cP++ = *cL++;
226     }
227     *cP = 0;
228   }
229 
230   s = resource_getResource(db,app_class,app_name, "international",0);
231   if (s == NULL || !strcasecmp(s, "False"))
232   {
233     sprintf(locale1, "noint:%s%s", loc_lang, loc_terr);
234     sprintf(locale2, "noint:%s", loc_lang);
235     strcpy(locale3, "C");
236   }
237   else
238   {
239     strcpy(locale1, locale);
240     sprintf(locale2, "%s%s%s", loc_lang, loc_terr, loc_cs);
241     sprintf(locale3, "%s%s", loc_lang, loc_cs);
242   }
------------------------------




    _______________________________________________________

Reply to this item at:

  <https://savannah.gnu.org/patch/?10096>

_______________________________________________
  Message sent via Savannah
  https://savannah.gnu.org/

Reply via email to