#263 STL c_locale_glibc2 NULL pointer dereference in malloc

5.2
open-remind
None
7
2014-08-24
2014-05-22
cIFrex
No

Hi

I'm going show result of static code analysis using cifrex in STLport. Please comment this code. Thanks

In STLport-5.2.1/src/c_locale_glibc/c_locale_glibc2.c
size_t _Locale_strxfrm(struct _Locale_collate __loc,
char
dest, size_t dest_n,
const char src, size_t src_n )
{
const char
real_src;
char *buf = NULL;
size_t result;

if (src_n == 0)
{
if (dest != NULL) dest[0] = 0;
return 0;
}
if (src[src_n] != 0) {
buf = malloc(src_n + 1); <==================
strncpy(buf, src, src_n);
buf[src_n] = 0;
real_src = buf;
}
else

Unchecked Return Value from malloc().

And in function bellow the same problem

ifndef _STLP_NO_WCHAR_T

size_t _WLocale_strxfrm( struct _Locale_collate __loc,
wchar_t
dest, size_t dest_n,
const wchar_t src, size_t src_n )
{
const wchar_t
real_src;
wchar_t *buf = NULL;
size_t result;

if (src_n == 0)
{
if (dest != NULL) dest[0] = 0;
return 0;
}
if (src[src_n] != 0) {
buf = malloc((src_n + 1) * sizeof(wchar_t)); <==================
wcsncpy(buf, src, src_n);
buf[src_n] = 0;

Possible NULL pointer dereference

PoC:
Allocate MAX_HEAP_SIZE/2+1 and use this function

Is any reason why we don't check result of memory allocation?

Maksymilian A
cifrex.org

Discussion

    • status: open --> open-remind
    • assigned_to: Petr Ovtchenkov