CVE Requests - glibc overflows (strxfrm)

[mancha <mancha1 () zoho com>]

Hello.

1. Joseph Myers discovered strxfrm is vulnerable to integer overflows
when computing memory allocation sizes (similar to CVE-2012-4412). i.e.
in string/strxfrm_l.c:

  idxarr = (int32_t *) malloc ((srclen + 1) * (sizeof (int32_t) + 1));

Attached strxfrm-int32.c should trigger on 32-bit machines.

2. Shaun Colley discovered strxfrm falls back to an unbounded alloca if
malloc fails making it vulnerable to stack-based buffer overflows
(similar to CVE-2012-4424) [1]. Attached strxfrm-alloca.c should
trigger.


Both issues were fixed in glibc 2.21 [2] and a quick check shows
vulnerable code appears to go back to at least glibc 2.3.

Please allocate CVEs for these issues. Many thanks.

--mancha

==============

[1] https://sourceware.org/bugzilla/show_bug.cgi?id=16009
[2] https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=0f9e585480ed

Attachment: strxfrm-alloca.c
Description:

Attachment: strxfrm-int32.c
Description:

Attachment: _bin
Description: