Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP2:Update
glibc.33856
glob-use-after-free.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File glob-use-after-free.patch of Package glibc.33856
From ddc650e9b3dc916eab417ce9f79e67337b05035c Mon Sep 17 00:00:00 2001 From: Andreas Schwab <schwab@suse.de> Date: Wed, 19 Feb 2020 17:21:46 +0100 Subject: [PATCH] Fix use-after-free in glob when expanding ~user (bug 25414) The value of `end_name' points into the value of `dirname', thus don't deallocate the latter before the last use of the former. --- posix/glob.c | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) Index: glibc-2.22/posix/glob.c =================================================================== --- glibc-2.22.orig/posix/glob.c +++ glibc-2.22/posix/glob.c @@ -962,28 +962,30 @@ glob (pattern, flags, errfunc, pglob) { size_t home_len = strlen (p->pw_dir); size_t rest_len = end_name == NULL ? 0 : strlen (end_name); + char *newp; + bool use_alloca = glob_use_alloca (alloca_used, + home_len + rest_len + 1); - if (__glibc_unlikely (malloc_dirname)) - free (dirname); - malloc_dirname = 0; - - if (glob_use_alloca (alloca_used, home_len + rest_len + 1)) - dirname = alloca_account (home_len + rest_len + 1, - alloca_used); + if (use_alloca) + newp = alloca_account (home_len + rest_len + 1, alloca_used); else { - dirname = malloc (home_len + rest_len + 1); - if (dirname == NULL) + newp = malloc (home_len + rest_len + 1); + if (newp == NULL) { free (malloc_pwtmpbuf); retval = GLOB_NOSPACE; goto out; } - malloc_dirname = 1; } - *((char *) mempcpy (mempcpy (dirname, p->pw_dir, home_len), + *((char *) mempcpy (mempcpy (newp, p->pw_dir, home_len), end_name, rest_len)) = '\0'; + if (__glibc_unlikely (malloc_dirname)) + free (dirname); + dirname = newp; + malloc_dirname = !use_alloca; + dirlen = home_len + rest_len; dirname_modified = 1;
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
