Date: Thu, 23 Oct 2014 18:55:17 +0000 From: mancha <mancha1@...o.com> To: oss-security@...ts.openwall.com Cc: lcamtuf@...edump.cx Subject: Re: strings / libbfd crasher On Thu, Oct 23, 2014 at 08:24:00AM -0700, Michal Zalewski wrote: > > http://lcamtuf.coredump.cx/stringme > > The immediate cause is due to srec_scan() in srec.c decreasing 'bytes' > without range checking until it wraps around. The already-bad value of > 'bytes' is assigned to 'sec->size' few lines before the crash, so > perhaps there would be potential for exploitability later down the > line; but the code ends up crashing soon thereafter in a 'while (bytes > > 0)' loop that has no other exit conditions. That loop would need to > go over the entire address space without SEGV to avoid the crash. I'm no leporidae but I agree srec_scan needs tlc. Fun-with-NULL: http://sf.net/projects/mancha/files/rnd/stringmetoo --mancha Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.