Wireshark-bugs: [Wireshark-bugs] [Bug 10343] New: wmem_alloc_array() "succeeds" (and clobbers me

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Sun, 03 Aug 2014 20:32:11 +0000
Bug ID 10343
Summary wmem_alloc_array() "succeeds" (and clobbers memory) when requested to allocate 0xaaaaaaaa size 12 items
Classification Unclassified
Product Wireshark
Version Git
Hardware x86
OS Windows 7
Status UNCONFIRMED
Severity Normal
Priority Low
Component Dissection engine (libwireshark)
Assignee [email protected]
Reporter [email protected] 

Build Information:
(Git)
--
Specifically:  (on Windows 32 bit)

typedef struct {
    int ...;
    int ...;
    int ...;
} foo_t;

    xxx = wmem_alloc_array(wmem_file_scope, foo_t, 0xaaaaaaaa);
    [write to array elements]

will clobber memory and eventually cause an obscure crash.

(Found when looking into a fuzz-test failure).

------

In this case, the wmem code ends up g_malloc'ing a total of 8 bytes 
which it then proceeds to treat as if the full array had been allocated
(including the block header and the chunk header).

It sounds like some overflow checking is needed when the total length required
is calculated: (size_t ...) * num_elements.

You are receiving this mail because:
  • You are watching all bug changes.