CVE-2015-1472: wscanf allocates too little memory

BZ #16618 Under certain conditions wscanf can allocate too little memory for the to-be-scanned arguments and overflow the allocated buffer. The implementation now correctly computes the required buffer size when using malloc. A regression test was added to tst-sscanf. (cherry picked from commit 5bd80bfe9ca0d955bfbbc002781bc7b01b6bcb06) Conflicts: ChangeLog NEWS
author: Paul Pluzhnikov <ppluzhnikov@google.com> 2015-02-06 00:30:42 -0500
committer: Mike Frysinger <vapier@gentoo.org> 2015-02-16 05:26:49 -0500
commit: 4d54424420c6300efbf57a7b9aa8635a8b8c1942 (patch)
tree: b87845b3970fac459cae136a751a5c0e1f7816ca /ChangeLog
parent: 1bf9d48aec087062e2a14b77cb5ee1fa81be334c (diff)
download: glibc-4d54424420c6300efbf57a7b9aa8635a8b8c1942.zip
glibc-4d54424420c6300efbf57a7b9aa8635a8b8c1942.tar.gz
glibc-4d54424420c6300efbf57a7b9aa8635a8b8c1942.tar.bz2
1 files changed, 8 insertions, 0 deletions
diff --git a/ChangeLog b/ChangeLog
index a6461e6..ccce486 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2015-02-16  Paul Pluzhnikov  <ppluzhnikov@google.com>
+
+	[BZ #16618]
+	* stdio-common/tst-sscanf.c (main): Test for buffer overflow.
+	* stdio-common/vfscanf.c (_IO_vfscanf_internal): Compute needed
+	size in bytes. Store needed elements in wpmax. Use needed size
+	in bytes for extend_alloca.
+
 2015-02-16  H.J. Lu  <hongjiu.lu@intel.com>
 
 	[BZ #17801]
author	Paul Pluzhnikov <ppluzhnikov@google.com>	2015-02-06 00:30:42 -0500
committer	Mike Frysinger <vapier@gentoo.org>	2015-02-16 05:26:49 -0500
commit	4d54424420c6300efbf57a7b9aa8635a8b8c1942 (patch)
tree	b87845b3970fac459cae136a751a5c0e1f7816ca /ChangeLog
parent	1bf9d48aec087062e2a14b77cb5ee1fa81be334c (diff)
download	glibc-4d54424420c6300efbf57a7b9aa8635a8b8c1942.zip glibc-4d54424420c6300efbf57a7b9aa8635a8b8c1942.tar.gz glibc-4d54424420c6300efbf57a7b9aa8635a8b8c1942.tar.bz2