https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105403
Bug ID: 105403 Summary: [Bug] Buffer overflow can happen when reading pchf_data from file Product: gcc Version: 11.3.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: pch Assignee: unassigned at gcc dot gnu.org Reporter: liftdat at protonmail dot com Target Milestone: --- In the file libcpp/files.c, the function _cpp_read_file_entries has the following code (link: https://github.com/gcc-mirror/gcc/blob/9715f10c0651c9549b479b69d67be50ac4bd98a6/libcpp/files.cc#L2049): bool _cpp_read_file_entries (cpp_reader *pfile ATTRIBUTE_UNUSED, FILE *f) { struct pchf_data d; if (fread (&d, sizeof (struct pchf_data) - sizeof (struct pchf_entry), 1, f) != 1) return false; pchf = XNEWVAR (struct pchf_data, sizeof (struct pchf_data) + sizeof (struct pchf_entry) * (d.count - 1)); memcpy (pchf, &d, sizeof (struct pchf_data) - sizeof (struct pchf_entry)); if (fread (pchf->entries, sizeof (struct pchf_entry), d.count, f) != d.count) return false; return true; } The count field for the pchf_data d is read from the file f. Therefore, given a crafted input, d.count can get a really large value, e.g., UINT64_MAX. In this case, the computation of the allocation size will trigger an integer overflow and give a small value for the size of the allocated buffer: sizeof (struct pchf_data) + sizeof (struct pchf_entry) * (d.count - 1) This can lead to subsequent buffer overflow for the buffer pointed by pchf.