Bug#779573: bibtool: heap buffer overflow in the bibtool tests

To: Vincent Lefevre <vincent@vinc17.net>, 779573@bugs.debian.org
Subject: Bug#779573: bibtool: heap buffer overflow in the bibtool tests
From: Jerome BENOIT <calculus@rezozer.net>
Date: Mon, 02 Mar 2015 16:35:51 +0100
Message-id: <[🔎] 54F48357.3010303@rezozer.net>
Reply-to: calculus@rezozer.net, 779573@bugs.debian.org
In-reply-to: <[🔎] 20150302152750.GA20595@xvii.vinc17.org>
References: <[🔎] 20150302151043.GA5638@ypig.lip.ens-lyon.fr> <[🔎] 20150302152750.GA20595@xvii.vinc17.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thanks, it sounds helpful: I have just forwarded your last tow email
to the mainstream maintainer: let wait for his feedback.

Jerome

On 02/03/15 16:27, Vincent Lefevre wrote:
> On 2015-03-02 16:10:43 +0100, Vincent Lefevre wrote:
>> rewrite.c:313 is:
>>
>>   stack[stackp++] = field;
>>
>> With the context:
>>
>>     if ( stackp > stacksize )                      /*                        */
>>     { stacksize += 8;                              /*                        */
>>       if ( (stack=(Uchar**)realloc((char*)stack,   /*                        */
>>                                   stacksize*sizeof(char*)))==NULL)/*         */
>>       { OUT_OF_MEMORY("rule stack"); }             /*                        */
>>     }                                              /*                        */
>>     stack[stackp++] = field;                       /*                        */
>>
>> If I understand correctly, it seems that the 8-byte increase is not
>> sufficient.
> 
> Actually, if stackp == stacksize, this is also bad.
> The test should be:
> 
>   if ( stackp >= stacksize )
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJU9INHAAoJEIC/w4IMSybjW4AH/1RyLwnnEZZXrNvHmqoNa3MA
BebZpsbErT2lE3WcCPolVLO62z14SmkA2qv2y7wpTrUhdgflr2y3SJnFDu3fB0Bw
RU69wMQcUZAWHl9dWgvex3we1ikaWA3uaEMd2WNUQA+y7gx+x72DHkTL7fWdtf8P
FG4GTnIz3sN4NqDy8tY0aO2E3poFBa8hJz2ONfuk3m0yEFjA8f+nMduam7H3cG7q
/qtevkZTXxwkWIvsd8m2XWVjt3Bt11OyCqAQIN3xlJ/M7ygZjPVohZUTD085Mt/d
XbtEmKY8FHpJ2YNQGmrHBgrZlYHhBDwkDKOUPY6Cu/RSMfqv0G1sOXcOrJBdhwA=
=+F8+
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Bug#779573: bibtool: heap buffer overflow in the bibtool tests
  - From: Vincent Lefevre <vincent@vinc17.net>

References:
- Bug#779573: bibtool: heap buffer overflow in the bibtool tests
  - From: Vincent Lefevre <vincent@vinc17.net>
- Bug#779573: bibtool: heap buffer overflow in the bibtool tests
  - From: Vincent Lefevre <vincent@vinc17.net>

Prev by Date: Bug#779573: bibtool: heap buffer overflow in the bibtool tests
Next by Date: Bug#779573: bibtool: heap buffer overflow in the bibtool tests
Previous by thread: Bug#779573: bibtool: heap buffer overflow in the bibtool tests
Next by thread: Bug#779573: bibtool: heap buffer overflow in the bibtool tests
Index(es):
- Date
- Thread