[bug-gettext] [bug #47531] One byte heap buffer overflow in x-lua.c (triggered by make check)

[Daiki Ueno]

Update of bug #47531 (project gettext):

  Status:None => Fixed  
 Open/Closed:Open => Closed 

___

Follow-up Comment #1:

Thanks, I have pushed the patch:
http://git.savannah.gnu.org/cgit/gettext.git/commit/?id=0571be87e09c6db11be8c56c773b563c2b4c99a4

___

Reply to this item at:

  

___
  Message sent via/by Savannah
  http://savannah.gnu.org/

[bug-gettext] [bug #47531] One byte heap buffer overflow in x-lua.c (triggered by make check)

[Hanno Boeck]

URL:
  

 Summary: One byte heap buffer overflow in x-lua.c (triggered
by make check)
 Project: GNU gettext
Submitted by: hanno
Submitted on: Fri 25 Mar 2016 02:02:44 PM CET
Category: None
Severity: 3 - Normal
  Item Group: None
  Status: None
 Privacy: Public
 Assigned to: None
 Open/Closed: Open
 Discussion Lock: Any

___

Details:

There is a one byte heap buffer overflow in x-lua.c. This is the code:

static void
string_end ()
{
  string_buf[string_buf_length] = '\0';
}


The problem is that when string_buf_length is larger than string_buf it will
still write. In the function above (string_add) there is a check for that and
a call to xrealloc in that case. See attached patch for a similar change to
string_end (I realloc only one additional byte because I assume after
string_end no more memory is needed).

This was found by running the test suite (make check) with address sanitizer
enabled. I'll attach the address sanitizer error message as well.



___

File Attachments:


---
Date: Fri 25 Mar 2016 02:02:44 PM CET  Name: gettext-fix-bufferoverflow.diff 
Size: 436B   By: hanno


---
Date: Fri 25 Mar 2016 02:02:44 PM CET  Name: gettext-lua-overflow-asan.txt 
Size: 4kB   By: hanno



___

Reply to this item at:

  

___
  Message sent via/by Savannah
  http://savannah.gnu.org/