Mailinglist Archive: opensuse-bugs (4671 mails)

< Previous Next >
[Bug 640417] info directory is empty
  • From: bugzilla_noreply@xxxxxxxxxx
  • Date: Mon, 20 Sep 2010 12:44:12 +0000
  • Message-id: <20100920124412.673B1245520@xxxxxxxxxxxxxxxxxxxxxx>

https://bugzilla.novell.com/show_bug.cgi?id=640417

https://bugzilla.novell.com/show_bug.cgi?id=640417#c7


Christopher Yeleighton <giecrilj@xxxxxxxxxxxx> changed:

What |Removed |Added
----------------------------------------------------------------------------
Severity|Minor |Major

--- Comment #7 from Christopher Yeleighton <giecrilj@xxxxxxxxxxxx> 2010-09-20
12:44:11 UTC ---
The function printed_representation sets iter.limit to NULL, thereby preventing
further execution of the parsing loop (via mbi_avail (iter)). The offending
instruction is at info-utils.c:562:

*plen = i - 1;

(gdb) p plen
$49 = (size_t *) 0x7fffffffdc2c

(gdb) f 1
#1 0x000000000041d4ce in process_node_text (win=0x661d50, start=<value
optimized out>,
do_tags=0, fun=0x41ac60 <_calc_line_starts>, closure=0x7fffffffdcc0) at
window.c:1614

(gdb) p &iter.limit
$54 = (const char **) 0x7fffffffdc30

Since I am on a 64-bit machine, *plen and iter.limit overlap. Since the
machine is little-endian, the instruction effectively clears iter.limit. Bang!

Resetting to Severity=Major, with your permission: writing at random places of
memory is no good to security.

--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

< Previous Next >
References