STL c_locale_glibc2 NULL pointer dereference in malloc
Brought to you by:
complement
Menu
▾
▴
#263 STL c_locale_glibc2 NULL pointer dereference in malloc
Hi
I'm going show result of static code analysis using cifrex in STLport. Please comment this code. Thanks
In STLport-5.2.1/src/c_locale_glibc/c_locale_glibc2.c
size_t _Locale_strxfrm(struct _Locale_collate __loc,
char dest, size_t dest_n,
const char src, size_t src_n )
{
const char real_src;
char *buf = NULL;
size_t result;
if (src_n == 0)
{
if (dest != NULL) dest[0] = 0;
return 0;
}
if (src[src_n] != 0) {
buf = malloc(src_n + 1); <==================
strncpy(buf, src, src_n);
buf[src_n] = 0;
real_src = buf;
}
else
Unchecked Return Value from malloc().
And in function bellow the same problem
ifndef _STLP_NO_WCHAR_T
size_t _WLocale_strxfrm( struct _Locale_collate __loc,
wchar_t dest, size_t dest_n,
const wchar_t src, size_t src_n )
{
const wchar_t real_src;
wchar_t *buf = NULL;
size_t result;
if (src_n == 0)
{
if (dest != NULL) dest[0] = 0;
return 0;
}
if (src[src_n] != 0) {
buf = malloc((src_n + 1) * sizeof(wchar_t)); <==================
wcsncpy(buf, src, src_n);
buf[src_n] = 0;
Possible NULL pointer dereference
PoC:
Allocate MAX_HEAP_SIZE/2+1 and use this function
Is any reason why we don't check result of memory allocation?
Maksymilian A
cifrex.org
Agree. Suggest patch according rules like http://kernelnewbies.org/PatchPhilosophy or http://wiki.qemu.org/Contribute/TrivialPatches or http://wiki.qemu.org/Contribute/SubmitAPatch
We use git, BTW.