Date: Thu, 23 Oct 2014 08:24:00 -0700 From: Michal Zalewski <lcamtuf@...edump.cx> To: oss-security <oss-security@...ts.openwall.com> Subject: Re: strings / libbfd crasher > http://lcamtuf.coredump.cx/stringme The immediate cause is due to srec_scan() in srec.c decreasing 'bytes' without range checking until it wraps around. The already-bad value of 'bytes' is assigned to 'sec->size' few lines before the crash, so perhaps there would be potential for exploitability later down the line; but the code ends up crashing soon thereafter in a 'while (bytes > 0)' loop that has no other exit conditions. That loop would need to go over the entire address space without SEGV to avoid the crash. /mz
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ