[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 28 Jun 2018 10:20:28 -0700
From: Mark Winterrowd <markwinterrowd4@...il.com>
To: musl@...ts.openwall.com
Subject: Out of bounds memory read in src/stdio/vfprintf.c
Hi all,
I believe I have found an out of bounds memory read in vfprintf.c
On line 509 in src/stdio/vfprintf.c in the current source tree head, you
can observe the following snippet of code:
/* Format specifier state machine */
st=0;
do {
if (OOB(*s)) goto inval;
ps=st;
st=states[st]S(*s++);
} while (st-1<STOP);
if (!st) goto inval;
Note that on line 99 the OOB macro expands to the following test whether
the argument falls outside of 'A' and 'z', written to use a single compare:
#define OOB(x) ((unsigned)(x)-'A' > 'z'-'A')
Unfortunately, the cast to unsigned binds tighter than the subtract
from 'A', so if x is less than 'A',
OOB will return false. This is common in the case of space, which has
an ascii value of 32
compared to 'A' 's value of 65.
This causes us to index into states with a negative value for its
second dimension, causing us to
index to an unpredictable location in states, possibly even off the beginning.
Hope this helps,
Mark Winterrowd
Content of type "text/html" skipped
Powered by blists - more mailing lists
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
