about summary refs log tree commit diff
path: root/stdio-common/bug23-4.c
diff options
context:
space:
mode:
authorJeff Law <law@redhat.com>2014-12-15 10:09:32 +0100
committerFlorian Weimer <fweimer@redhat.com>2014-12-15 10:09:33 +0100
commita5357b7ce2a2982c5778435704bcdb55ce3667a0 (patch)
tree1292d6cb3f935bf84f07a1acc2fc92409dce1084 /stdio-common/bug23-4.c
parent3a12c70f137707074209241e6c6172ea25f9ab4a (diff)
downloadglibc-a5357b7ce2a2982c5778435704bcdb55ce3667a0.tar.gz
glibc-a5357b7ce2a2982c5778435704bcdb55ce3667a0.tar.xz
glibc-a5357b7ce2a2982c5778435704bcdb55ce3667a0.zip
CVE-2012-3406: Stack overflow in vfprintf [BZ #16617]
A larger number of format specifiers coudld cause a stack overflow,
potentially allowing to bypass _FORTIFY_SOURCE format string
protection.
Diffstat (limited to 'stdio-common/bug23-4.c')
-rw-r--r--stdio-common/bug23-4.c31
1 files changed, 31 insertions, 0 deletions
diff --git a/stdio-common/bug23-4.c b/stdio-common/bug23-4.c
new file mode 100644
index 0000000000..a4785640de
--- /dev/null
+++ b/stdio-common/bug23-4.c
@@ -0,0 +1,31 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/resource.h>
+
+#define LIMIT 1000000
+
+int
+main (void)
+{
+  struct rlimit lim;
+  getrlimit (RLIMIT_STACK, &lim);
+  lim.rlim_cur = 1048576;
+  setrlimit (RLIMIT_STACK, &lim);
+  char *fmtstr = malloc (4 * LIMIT + 1);
+  if (fmtstr == NULL)
+    abort ();
+  char *output = malloc (LIMIT + 1);
+  if (output == NULL)
+    abort ();
+  for (size_t i = 0; i < LIMIT; i++)
+    memcpy (fmtstr + 4 * i, "%1$d", 4);
+  fmtstr[4 * LIMIT] = '\0';
+  int ret = snprintf (output, LIMIT + 1, fmtstr, 0);
+  if (ret != LIMIT)
+    abort ();
+  for (size_t i = 0; i < LIMIT; i++)
+    if (output[i] != '0')
+      abort ();
+  return 0;
+}