oss-sec mailing list archives

Re: Re: strings / libbfd crasher

From: Jakub Wilk <jwilk () jwilk net>
Date: Mon, 27 Oct 2014 20:18:00 +0100

* Michal Zalewski <lcamtuf () coredump cx>, 2014-10-27, 11:59:

Well, there's also a trivial stack buffer overflow in srec.c near line254:
     char buf[10];
...
       sprintf (buf, "\\%03o", (unsigned int) c);

But with this test case, c will be -44, or "\1777777777777777777724",


More likely "\37777777724"...

which sounds a lot longer than 9 characters.


...which is still longer than 9.

--
Jakub Wilk

Current thread:

Re: Re: strings / libbfd crasher, (continued)
- - - Re: Re: strings / libbfd crasher Michal Zalewski (Nov 03)
    - Re: Re: strings / libbfd crasher mancha (Nov 03)
    - Re: strings / libbfd crasher cve-assign (Nov 04)
    - Re: Re: strings / libbfd crasher Alexander Cherepanov (Nov 04)
    - Re: Re: strings / libbfd crasher mancha (Nov 05)
    - Re: Re: strings / libbfd crasher Alexander Cherepanov (Nov 04)
    - Re: strings / libbfd crasher cve-assign (Nov 12)
  - Re: Re: strings / libbfd crasher Alexander Cherepanov (Oct 26)
    - Re: Re: strings / libbfd crasher Michal Zalewski (Oct 26)
    - Re: Re: strings / libbfd crasher Michal Zalewski (Oct 27)
    - Re: Re: strings / libbfd crasher Jakub Wilk (Oct 27)
    - Re: Re: strings / libbfd crasher Alexander Cherepanov (Oct 28)