Bug#553206: libc6: sscanf segfaults with %d on large decimal input string
Package: libc6
Version: 2.10.1-2
Severity: normal
sscanf(p,"%d",&i) caused a SIGSEGV raised if p points to a very long input string with just
decimal characters in it.
that makes "%d" unusable for scanning untrusted input. (in my case a sip registrar).
here is a code example that shows it (use 2*1024*1024 and it works)
# compile with e.g. gcc x.c -o x
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
int main()
{
int n;
char *p;
#define NBUF (3*1024*1024)
p=malloc(NBUF);
if (p) {
memset(p,'1',NBUF);
p[NBUF-1]=0;
printf("here we go...\n");
sscanf(p,"%d",&n);
printf("n=%d\n",n);
free(p);
}
return 0;
}
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.30-2-686 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash
Versions of packages libc6 depends on:
ii libc-bin 2.10.1-2 GNU C Library: Binaries
ii libgcc1 1:4.4.2-1 GCC support library
Versions of packages libc6 recommends:
ii libc6-i686 2.10.1-2 GNU C Library: Shared libraries [i
Versions of packages libc6 suggests:
ii debconf [debconf-2.0] 1.5.28 Debian configuration management sy
ii glibc-doc 2.10.1-2 GNU C Library: Documentation
ii locales 2.10.1-2 GNU C Library: National Language (
ii locales-all [locales] 2.10.1-2 GNU C Library: Precompiled locale
-- debconf information:
* glibc/upgrade: true
glibc/disable-screensaver:
glibc/restart-failed:
* glibc/restart-services: spamassassin samba rsync postfix openbsd-inetd cups cron atd
Reply to: