http://sourceware.org/bugzilla/show_bug.cgi?id=14919
Bug #: 14919
Summary: Unsafe returned value of NULL pointer in function
_nl_normalize_codeset at file intl/l10nflist.c
Product: binutils
Version: 2.23
Status: NEW
Severity: normal
Priority: P2
Component: binutils
AssignedTo: unassig...@sourceware.org
ReportedBy: yangyeping_...@hotmail.com
Classification: Unclassified
Sorry,I can't find a suitable component for this bug, and I select binutils.
1)The file path containing this vulnerability: intl/l10nflist.c
2)Line number: 433
3)Code fragment (from line 415 to line 433):
retval = (char *) malloc ((only_digit ? 3 : 0) + len + 1);
if (retval != NULL)
{
if (only_digit)
wp = stpcpy (retval, "iso");
else
wp = retval;
for (cnt = 0; cnt < name_len; ++cnt)
if (isalpha ((unsigned char) codeset[cnt]))
*wp++ = tolower ((unsigned char) codeset[cnt]);
else if (isdigit ((unsigned char) codeset[cnt]))
*wp++ = codeset[cnt];
*wp = '\0';
}
return (const char *) retval;
4) Short description: The variable "retval" is assigned at line 415 via
function
"malloc". Although it is sanity-checked, this function can still return a NULL
pointer if retval is NULL.The "_nl_normalize_codeset" function is called at
line
115 "*normali zed_codeset = _nl_normalize_codeset (*codeset,cp - *codeset);" in
file intl/explodename.c. If variable normalized_codeset is null, then the
following strcmp function will have a NULL pointer argument and a NULL pointer
dereference vulnerability occur
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
_______________________________________________
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils
