Hi all,
Our user "Lemonboy" has found a vulnerability in CHICKEN's SRFI-4
constructors, when using a nonstandard extension; the "NONGC" argument
to make-[su]{8,16,32}vector. This argument will allocate a uniform
bytevector in unmanaged memory (not subject to garbage collection),
by using malloc().The range of the size argument would not be checked, which means a negative size could end up being passed to malloc(), resulting in a segfault and potential buffer overruns. Constructor calls to allocate SRFI-4 vectors in managed memory are not affected. This issue has been fixed in master by commit e792fd8cc, which can be found here in patch form: https://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=commitdiff;h=68c4e537a29d3f878016e0144c42d0e7ae5d41b4 A simple workaround would be to always check the range of the input to be between 0 and 2^30 for 8-bit vectors, 2^29 for 16-bit vectors or 2^28 for 32-bit vectors before passing it on to the constructor. Many thanks to Lemonboy for finding this issue and proposing an initial patch. Regards, The CHICKEN Team
signature.asc
Description: Digital signature
_______________________________________________ Chicken-users mailing list [email protected] https://lists.nongnu.org/mailman/listinfo/chicken-users
