Bug#402694: new[] operator can silently allocate less than requested
Package: libstdc++6
Version: 4.1.1-21
Severity: important
Tags: security
See bug #155529 -- this is the same problem referenced by the same
advisory: http://cert.uni-stuttgart.de/advisories/calloc.php
Severity should probably be higher for a security problem, but I'll
set it the same as that original bug.
Basically
Big *big = new Big[size]
can allocate less than requested but fail to throw an exception, if
sizeof(Big) * size
overflows.
A sample program is attached. On i386, the first allocation correctly
succeeds, the second correctly throws an exception (it's trying to
allocate ~4GB), and the third appears to allocate successfully but
segfaults on access.
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.17.4
Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages libstdc++6 depends on:
ii gcc-4.1-base 4.1.1-21 The GNU Compiler Collection (base
ii libc6 2.3.6-15 GNU C Library: Shared libraries
ii libgcc1 1:4.1.1-21 GCC support library
libstdc++6 recommends no packages.
-- no debconf information
#include <stdio.h>
#include <exception>
class Big {
public:
char big[1000];
};
int main()
{
int size[3] = { 4294, 4294000, 4296000 };
for (int i=0; i<3; i++) {
try {
Big *bigs = new Big[size[i]];
printf("%d allocated\n", i);
bigs[1234].big[0] = 0;
printf("%d tested\n", i);
delete[] bigs;
} catch(std::exception e) {
printf("%d exception\n", i);
}
}
}
Reply to: