Bug#519647: man-db: 'count' in src/man.c:sort_candidates() is used unitialized

Fri, 13 Mar 2009 17:14:10 -0700 

Package: man-db
Version: 2.5.4-1
Severity: important

The 'count' variable in src/man.c:sort_candidates() is used unitialized
which causes a random amount of memory to be allocated, with the
possibility of mmap()'ing all available memory (and more).

The follow patch fixes this issue:

--- man-db-2.5.4/src/man.c      2009-02-23 22:18:56.000000000 +0000
+++ man-db-2.5.4.new/src/man.c  2009-03-13 23:54:18.447351076 +0000
@@ -2949,11 +2949,11 @@
 
 /* Sort the entire list of candidates. */
 static void sort_candidates (struct candidate **candidates)
 {
        struct candidate *cand, **allcands;
-       size_t count, i;
+       size_t count = 0, i;
 
        for (cand = *candidates; cand; cand = cand->next)
                ++count;
 
        if (count == 0)


-Dustin

-- System Information:
Debian Release: squeeze/sid
  APT prefers testing-proposed-updates
  APT policy: (500, 'testing-proposed-updates'), (500, 'testing')
Architecture: alpha

Kernel: Linux 2.6.29-rc7-git4 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash

Versions of packages man-db depends on:
ii  bsdmainutils           6.1.10            collection of more utilities from 
ii  debconf [debconf-2.0]  1.5.25            Debian configuration management sy
ii  dpkg                   1.14.25           Debian package management system
ii  groff-base             1.18.1.1-21       GNU troff text-formatting system (
ii  libc6.1                2.7-18            GNU C Library: Shared libraries
ii  libgdbm3               1.8.3-4           GNU dbm database routines (runtime
ii  zlib1g                 1:1.2.3.3.dfsg-12 compression library - runtime

man-db recommends no packages.

Versions of packages man-db suggests:
ii  elinks [www-browser]   0.12~pre2.dfsg0-1 advanced text-mode WWW browser
ii  groff                  1.18.1.1-21       GNU troff text-formatting system
ii  less                   418-1             Pager program similar to more
ii  lynx-cur [www-browser] 2.8.7dev13-1      Text-mode WWW Browser with NLS sup
ii  w3m [www-browser]      0.5.2-2+b1        WWW browsable pager with excellent

-- debconf information:
  man-db/install-setuid: false

diff -rN -U 5 man-db-2.5.4/src/man.c man-db-2.5.4.new/src/man.c
--- man-db-2.5.4/src/man.c	2009-02-23 22:18:56.000000000 +0000
+++ man-db-2.5.4.new/src/man.c	2009-03-13 23:54:18.447351076 +0000
@@ -2949,11 +2949,11 @@
 
 /* Sort the entire list of candidates. */
 static void sort_candidates (struct candidate **candidates)
 {
 	struct candidate *cand, **allcands;
-	size_t count, i;
+	size_t count = 0, i;
 
 	for (cand = *candidates; cand; cand = cand->next)
 		++count;
 
 	if (count == 0)

Reply via email to