* Andrew Makhorin <[EMAIL PROTECTED]> [2007-09-11 10:32]:
> > static void
> > xvprintf (const char *fmt, va_list arg)
> > {
> > char buf[4000 + 1];
> > vsprintf (buf, fmt, arg);
> > xassert (strlen (buf) < sizeof (buf)); /* here! */
> > xputs (buf);
> > return;
> > }
>
> > The assertion checks the length of the string in the current buffer
> > AFTER having written it there. Too late, and ineffective anyway.
>
> However, this is not a bug, since buf cannot overflow; xvprintf is
> not available on api level neither directly nor indirectly and used
> internally only by glpk routines, which do not output messages long
> enough to cause the overflow.
I am a bit confused here: xvprintf is called by xprintf in src/glplib05.c.
The xprintf function is actually available in the public API through
_glp_lib_xprintf. It would then be possible to write a malicious program
linked against libglpk that would exploit the buffer overflow vulnerability
described in this bug report. Please, tell me whether I am wrong or not.
--
Rafael
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
