This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

URGENT: patch to fix buffer overflow in cygwin1.dll in versions 1.7.2 to 1.7.5


A serious buffer flow was introduced over 2 years ago (-r1.141 2008/02/14)
when support for wide characters was added. The change below unleashed
this bug, leading to random segmentation faults on forking when using
cygwin 1.7.2 to 1.7.5 (e.g. when running kpsewhich or asymptote):

2009-12-18  Corinna Vinschen  <corinna@vinschen.de>

	* fhandler.h (fhandler_registry::value_name): Convert to wchar_t*.
	* fhandler_registry.cc: Call UNICODE registry functions throughout
	and convert to multibyte using current locale's charset.  Accommodate
	throughout.
	(must_encode): Take wchar_t.
	(encode_regname): Convert from wchar_t *.
	(decode_regname): Convert to wchar_t *.

After a long debugging session, I finally tracked the problem down to a
buffer overflow in cwcsdup. A patch is attached below. See for example

https://www.securecoding.cert.org/confluence/display/seccode/STR33-C.+Size+wide+character+strings+correctly

I recommend releasing a new cygwin1.dll as soon as possible.
As an interim solution, I have applied the patch below and compiled it as
the cygwin1.dll that ships with Asymptote-1.92:

https://sourceforge.net/projects/asymptote/files/asymptote/1.92/asymptote-1.92-setup.exe/download

Regards,

-- John Bowman
University of Alberta

diff -ru cygwin.broken/cygheap.cc cygwin/cygheap.cc
--- cygwin.broken/cygheap.cc	2009-10-03 05:28:04.000000000 -0700
+++ cygwin/cygheap.cc	2010-04-12 05:43:47.640625000 -0700
@@ -363,7 +363,7 @@
 cwcsdup (const PWCHAR s)
 {
   MALLOC_CHECK;
-  PWCHAR p = (PWCHAR) cmalloc (HEAP_STR, wcslen (s) + 1);
+  PWCHAR p = (PWCHAR) cmalloc (HEAP_STR, (wcslen (s) + 1) * sizeof(wchar_t));
   if (!p)
     return NULL;
   wcpcpy (p, s);
@@ -375,7 +375,7 @@
 cwcsdup1 (const PWCHAR s)
 {
   MALLOC_CHECK;
-  PWCHAR p = (PWCHAR) cmalloc (HEAP_1_STR, wcslen (s) + 1);
+  PWCHAR p = (PWCHAR) cmalloc (HEAP_1_STR, (wcslen (s) + 1) * sizeof(wchar_t));
   if (!p)
     return NULL;
   wcpcpy (p, s);

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]