Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 28 Jun 2018 10:20:28 -0700
From: Mark Winterrowd <>
Subject: Out of bounds memory read in src/stdio/vfprintf.c

Hi all,

I believe I have found an out of bounds memory read in vfprintf.c

On line 509 in src/stdio/vfprintf.c in the current source tree head, you
can observe the following snippet of code:

/* Format specifier state machine */
do {
if (OOB(*s)) goto inval;
} while (st-1<STOP);
if (!st) goto inval;

Note that on line 99 the OOB macro expands to the following test whether
the argument falls outside of 'A' and 'z', written to use a single compare:

#define OOB(x) ((unsigned)(x)-'A' > 'z'-'A')
Unfortunately, the cast to unsigned binds tighter than the subtract
from 'A', so if x is less than 'A',
OOB will return false. This is common in the case of space, which has
an ascii value of 32

compared to 'A' 's value of 65.

This causes us to index into states with a negative value for its
second dimension, causing us to
index to an unpredictable location in states, possibly even off the beginning.
Hope this helps,
Mark Winterrowd

Content of type "text/html" skipped

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.