[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#779573: bibtool: heap buffer overflow in the bibtool tests

On 2015-03-02 16:10:43 +0100, Vincent Lefevre wrote:
> rewrite.c:313 is:
> 
>   stack[stackp++] = field;
> 
> With the context:
> 
>     if ( stackp > stacksize )                      /*                        */
>     { stacksize += 8;                              /*                        */
>       if ( (stack=(Uchar**)realloc((char*)stack,   /*                        */
>                                   stacksize*sizeof(char*)))==NULL)/*         */
>       { OUT_OF_MEMORY("rule stack"); }             /*                        */
>     }                                              /*                        */
>     stack[stackp++] = field;                       /*                        */
> 
> If I understand correctly, it seems that the 8-byte increase is not
> sufficient.

Actually, if stackp == stacksize, this is also bad.
The test should be:

  if ( stackp >= stacksize )

-- 
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
Reply to: