URGENT: patch to fix buffer overflow in cygwin1.dll in versions 1.7.2 to 1.7.5

Tue, 13 Apr 2010 02:47:57 -0700 

A serious buffer flow was introduced over 2 years ago (-r1.141 2008/02/14)
when support for wide characters was added. The change below unleashed
this bug, leading to random segmentation faults on forking when using
cygwin 1.7.2 to 1.7.5 (e.g. when running kpsewhich or asymptote):

2009-12-18  Corinna Vinschen  <cori...@vinschen.de>

        * fhandler.h (fhandler_registry::value_name): Convert to wchar_t*.
        * fhandler_registry.cc: Call UNICODE registry functions throughout
        and convert to multibyte using current locale's charset.  Accommodate
        throughout.
        (must_encode): Take wchar_t.
        (encode_regname): Convert from wchar_t *.
        (decode_regname): Convert to wchar_t *.

After a long debugging session, I finally tracked the problem down to a
buffer overflow in cwcsdup. A patch is attached below. See for example

https://www.securecoding.cert.org/confluence/display/seccode/STR33-C.+Size+wide+character+strings+correctly

I recommend releasing a new cygwin1.dll as soon as possible.
As an interim solution, I have applied the patch below and compiled it as
the cygwin1.dll that ships with Asymptote-1.92:

https://sourceforge.net/projects/asymptote/files/asymptote/1.92/asymptote-1.92-setup.exe/download

Regards,

-- John Bowman
University of Alberta

diff -ru cygwin.broken/cygheap.cc cygwin/cygheap.cc
--- cygwin.broken/cygheap.cc    2009-10-03 05:28:04.000000000 -0700
+++ cygwin/cygheap.cc   2010-04-12 05:43:47.640625000 -0700
@@ -363,7 +363,7 @@
 cwcsdup (const PWCHAR s)
 {
   MALLOC_CHECK;
-  PWCHAR p = (PWCHAR) cmalloc (HEAP_STR, wcslen (s) + 1);
+  PWCHAR p = (PWCHAR) cmalloc (HEAP_STR, (wcslen (s) + 1) * sizeof(wchar_t));
   if (!p)
     return NULL;
   wcpcpy (p, s);
@@ -375,7 +375,7 @@
 cwcsdup1 (const PWCHAR s)
 {
   MALLOC_CHECK;
-  PWCHAR p = (PWCHAR) cmalloc (HEAP_1_STR, wcslen (s) + 1);
+  PWCHAR p = (PWCHAR) cmalloc (HEAP_1_STR, (wcslen (s) + 1) * sizeof(wchar_t));
   if (!p)
     return NULL;
   wcpcpy (p, s);

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Reply via email to