*Synopsis*: *libast* Array overruns in libast
CR 6765756 changed on Dec 8 2008 by <User 1-5Q-5151>
=== Field ============ === New Value ============= === Old Value =============
Evaluation New Note
Hook 6 <email address omitted> <email address omitted>
Introduced in Build snv_72
Introduced in Release solaris_nevada
Status 5-Cause Known 1-Dispatched
Synopsis *libast* Array overruns i.. Array overruns in libast
====================== =========================== ===========================
*Change Request ID*: 6765756
*Synopsis*: *libast* Array overruns in libast
Product: solaris
Category: shell
Subcategory: korn93
Type: Defect
Subtype:
Status: 5-Cause Known
Substatus:
Priority: 3-Medium
Introduced In Release: solaris_nevada
Introduced In Build: snv_72
Responsible Engineer:
Keywords: parfait
=== *Description* ============================================================
usr/src/lib/libast/common/sfio/sfvscanf.c
0153: for(c = 0; c <= SF_MAXCHAR; ++c)
0154: ac->ok[c] = !ac->yes;
0155:
0156: if(*form == ']' || *form == '-') /* special first char */
0157: { ac->ok[*form] = ac->yes;
0158: form += 1;
0159: }
Array ac->ok has size of SF_MAXCHAR (255), and last loop iteration accesses
ac->ok[SF_MAXCHAR].
usr/src/lib/libast/common/comp/setlocale.c
0800: for (i = 1; i < n; i++)
0801: single(i, NiL);
0802: return -1;
0803: }
0804: }
0805: else if (!categories[n].prev)
0806: categories[n].prev = p;
0807: }
0808: return n;
0809: }
In this case, the loop bounds are correct (<AST_LC_COUNT), but n is used after
incrementing and not tested, effectively looping from 1 to 14 inclusive.
usr/src/lib/libast/common/path/pathkey.c
0159: break;
0160: usr[c++] = k;
0161: while (*k && *k != ':' && *k != ' ')
0162: k++;
0163: }
0164: usr[c] = 0;
0165: ver[0] = (char*)lang;
0166: ver[1] = k = (s = strrchr(path, '/')) ? s + 1 : path;
If the PROBE_ATTRIBUTES or VERSION_ENVIRONMENT environment variables contain
16 or more colon-separated items, c will be 16, leading to an overrun on line
164.
usr/src/lib/libast/common/tm/tmxdate.c
0350: if (k)
0351: flags |= MONTH;
0352: else
0353: for (i = 1; i <= 12; i++)
0354: mon[i] = 1;
The for loop runs from 1 to 12 instead of 0 to 11 on a char[12] array.
This bug was found using the Parfait source code analysis tool.
See http://research.sun.com/projects/parfait
*** (#1 of 1): 2008-10-30 18:56:58 GMT+00:00 <User 1-5Q-544>
=== *Public Comments* ========================================================
=== *Workaround* =============================================================
=== *Additional Details* =====================================================
Targeted Release:
Commit To Fix In Build:
Fixed In Build:
Integrated In Build:
Verified In Build:
See Also:
Duplicate of:
Hooks:
Hook1:
Hook2:
Hook3:
Hook4:
Hook5:
Hook6: <email address omitted>
Program Management:
Root Cause:
Fix Affects Documentation: No
Fix Affects Localization: No
=== *History* ================================================================
Date Submitted: 2008-10-30 18:56:58 GMT+00:00
Submitted By: <User 1-5Q-544>
Status Changed Date Updated Updated By
5-Cause Known 2008-12-08 23:54:05 GMT+00:00 <User 1-5Q-5151>
=== *Service Request* ========================================================
Impact: Significant
Functionality: Secondary
Severity: 3
Product Name: solaris
Product Release: solaris_nevada
Product Build:
Operating System: solaris_nevada
Hardware: generic
Submitted Date: 2008-10-30 18:56:58 GMT+00:00
=== *Multiple Release (MR) Cluster* - 0 ======================================
