https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105403
Bug ID: 105403
Summary: [Bug] Buffer overflow can happen when reading
pchf_data from file
Product: gcc
Version: 11.3.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: pch
Assignee: unassigned at gcc dot gnu.org
Reporter: liftdat at protonmail dot com
Target Milestone: ---
In the file libcpp/files.c, the function _cpp_read_file_entries has the
following code (link:
https://github.com/gcc-mirror/gcc/blob/9715f10c0651c9549b479b69d67be50ac4bd98a6/libcpp/files.cc#L2049):
bool
_cpp_read_file_entries (cpp_reader *pfile ATTRIBUTE_UNUSED, FILE *f)
{
struct pchf_data d;
if (fread (&d, sizeof (struct pchf_data) - sizeof (struct pchf_entry), 1, f)
!= 1)
return false;
pchf = XNEWVAR (struct pchf_data, sizeof (struct pchf_data)
+ sizeof (struct pchf_entry) * (d.count - 1));
memcpy (pchf, &d, sizeof (struct pchf_data) - sizeof (struct pchf_entry));
if (fread (pchf->entries, sizeof (struct pchf_entry), d.count, f)
!= d.count)
return false;
return true;
}
The count field for the pchf_data d is read from the file f. Therefore, given a
crafted input, d.count can get a really large value, e.g., UINT64_MAX.
In this case, the computation of the allocation size will trigger an integer
overflow and give a small value for the size of the allocated buffer:
sizeof (struct pchf_data) + sizeof (struct pchf_entry) * (d.count - 1)
This can lead to subsequent buffer overflow for the buffer pointed by pchf.
