This is the mail archive of the
cygwin
mailing list for the Cygwin project.
URGENT: patch to fix buffer overflow in cygwin1.dll in versions 1.7.2 to 1.7.5
- From: John Bowman <bowman at math dot ualberta dot ca>
- To: cygwin at cygwin dot com
- Date: 13 Apr 2010 09:47:36 -0000
- Subject: URGENT: patch to fix buffer overflow in cygwin1.dll in versions 1.7.2 to 1.7.5
A serious buffer flow was introduced over 2 years ago (-r1.141 2008/02/14)
when support for wide characters was added. The change below unleashed
this bug, leading to random segmentation faults on forking when using
cygwin 1.7.2 to 1.7.5 (e.g. when running kpsewhich or asymptote):
2009-12-18 Corinna Vinschen <corinna@vinschen.de>
* fhandler.h (fhandler_registry::value_name): Convert to wchar_t*.
* fhandler_registry.cc: Call UNICODE registry functions throughout
and convert to multibyte using current locale's charset. Accommodate
throughout.
(must_encode): Take wchar_t.
(encode_regname): Convert from wchar_t *.
(decode_regname): Convert to wchar_t *.
After a long debugging session, I finally tracked the problem down to a
buffer overflow in cwcsdup. A patch is attached below. See for example
https://www.securecoding.cert.org/confluence/display/seccode/STR33-C.+Size+wide+character+strings+correctly
I recommend releasing a new cygwin1.dll as soon as possible.
As an interim solution, I have applied the patch below and compiled it as
the cygwin1.dll that ships with Asymptote-1.92:
https://sourceforge.net/projects/asymptote/files/asymptote/1.92/asymptote-1.92-setup.exe/download
Regards,
-- John Bowman
University of Alberta
diff -ru cygwin.broken/cygheap.cc cygwin/cygheap.cc
--- cygwin.broken/cygheap.cc 2009-10-03 05:28:04.000000000 -0700
+++ cygwin/cygheap.cc 2010-04-12 05:43:47.640625000 -0700
@@ -363,7 +363,7 @@
cwcsdup (const PWCHAR s)
{
MALLOC_CHECK;
- PWCHAR p = (PWCHAR) cmalloc (HEAP_STR, wcslen (s) + 1);
+ PWCHAR p = (PWCHAR) cmalloc (HEAP_STR, (wcslen (s) + 1) * sizeof(wchar_t));
if (!p)
return NULL;
wcpcpy (p, s);
@@ -375,7 +375,7 @@
cwcsdup1 (const PWCHAR s)
{
MALLOC_CHECK;
- PWCHAR p = (PWCHAR) cmalloc (HEAP_1_STR, wcslen (s) + 1);
+ PWCHAR p = (PWCHAR) cmalloc (HEAP_1_STR, (wcslen (s) + 1) * sizeof(wchar_t));
if (!p)
return NULL;
wcpcpy (p, s);
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple