https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105403

            Bug ID: 105403
           Summary: [Bug] Buffer overflow can happen when reading
                    pchf_data from file
           Product: gcc
           Version: 11.3.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: pch
          Assignee: unassigned at gcc dot gnu.org
          Reporter: liftdat at protonmail dot com
  Target Milestone: ---

In the file libcpp/files.c, the function _cpp_read_file_entries has the
following code (link:
https://github.com/gcc-mirror/gcc/blob/9715f10c0651c9549b479b69d67be50ac4bd98a6/libcpp/files.cc#L2049):

bool
_cpp_read_file_entries (cpp_reader *pfile ATTRIBUTE_UNUSED, FILE *f)
{
  struct pchf_data d;

  if (fread (&d, sizeof (struct pchf_data) - sizeof (struct pchf_entry), 1, f)
       != 1)
    return false;

  pchf = XNEWVAR (struct pchf_data, sizeof (struct pchf_data)
                  + sizeof (struct pchf_entry) * (d.count - 1));
  memcpy (pchf, &d, sizeof (struct pchf_data) - sizeof (struct pchf_entry));
  if (fread (pchf->entries, sizeof (struct pchf_entry), d.count, f)
      != d.count)
    return false;
  return true;
}

The count field for the pchf_data d is read from the file f. Therefore, given a
crafted input, d.count can get a really large value, e.g., UINT64_MAX.

In this case, the computation of the allocation size will trigger an integer
overflow and give a small value for the size of the allocated buffer:
    sizeof (struct pchf_data) + sizeof (struct pchf_entry) * (d.count - 1)

This can lead to subsequent buffer overflow for the buffer pointed by pchf.

Reply via email to