Re: problem with C and Gcc 2.95.3

["Riley Hassell" <riley () speakeasy org>]

The loop:
 for (i=0;1<10;i++){
is it not terminated correctly.

It continues through memory printing the decimal values of whatever it
finds. During this process it cycles though the rest of the processes
memory, which happens to include environment information. Finally it reachs
memory that is <out of bounds>. (Anything past 0xbfffffff in this case).
When it tries to access this, an Access violation occurs, or a "Segmentation
Fault".

As far as printing the ascii value of the bytes, either you're using %c or
%s in another test... or something really, really odd is happening.
Impossibly odd. :)

If for extremely strange reason, the %d conversion specifier, is printing
data as ascii string or ascii characters,  then this could be really
interesting in some cases.

For example:
buffer[20];
sprintf(buffer,"%d",data[num]);

But again I find that hard to believe, considering almost every tool
compiled with that version of GCC would fail... and people would've noticed
that, hopefully.


Hey GCC people...
when are we going to have watch exception functionality in linux/intel
GCC!!!!


Riley Hassell
Vulnerability Developer
eEye Digital Security

----- Original Message -----
From: "Blue Boar" <BlueBoar () thievco com>
To: <vuln-dev () securityfocus com>
Sent: Saturday, May 26, 2001 1:47 PM
Subject: Re: problem with C and Gcc 2.95.3


> Doru Petrescu wrote:
> <snip>
> > 3. i can't understand how did it produced this kind of result ...
> >    since printf("%d", ...) will print NUMBERS, and can't print a series
of
> > dots, like you can see in the output you attached.
> >    so i guess the original program had %c or %s ... i put my money on %c
...
> Which is why I let the message through.  Any reason why a %d stepping off
> the end of a buffer would end up printing out the environment like that?
> Or is it certain that the source that was mailed in doesn't match the
> output?
>
> BB
>
> <snip>
> > > The program return:
> > >
> > > ..........ÿ¿Hùÿ¿¾l@tùÿ¿|ùÿ¿"tùÿ¿Hùÿ¿fl(@
> > > tùÿ¿¨k@xö@Aðtùÿ¿~"À¤@lùÿ¿0.@»úÿ¿¿úÿ¿Ðúÿ¿úúÿ¿
ûÿ¿(ûÿ¿Pûÿ¿cûÿ¿.ûÿ¿-ûÿ¿©ûÿ¿»ûÿ¿Çûÿ¿Ðûÿ¿êûÿ¿ôûÿ¿Òýÿ¿Ýýÿ¿þýÿ¿-þÿ¿Gþÿ¿\þÿ¿iþÿ¿}
þÿ¿.þÿ¿"þÿ¿zþÿ¿©þÿ¿¶þÿ¿¾þÿ¿Êþÿ¿
> > >   ÿÿ¿ÿÿ¿/ÿÿ¿=ÿÿ¿Kÿÿ¿\ÿÿ¿jÿÿ¿uÿÿ¿?ÿÿ¿²ÿÿ¿Áÿÿ¿Ðÿÿ¿äÿÿ¿òÿÿ¿4 @        f
ÿùf¶úÿ¿i686./5PWD=/root/prg/myLTDL_LIBRARY_PATH=/root/.kde/lib:/usr/libLC_ME
SSAGES=itHOSTNAME=localhost.localdomainLD_LIBRARY_PATH=/root/.kde/lib:/usr/l
ibLESSKEY=/etc/.lessLESSOPEN=|/usr/bin/lesspipe.sh
> > > %sLANGUAGE=it_IT:itENV=/root/.bashrcPS1=[\u@\h \W]\$
KDEDIR=/usrLESS=-MMBROWSER=/usr/bin/netscapeUSER=rootLS_COLORS=no=00:fi=00:d
i=01;34:ln=01;36:pi=40;33:so=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi
=01;05;37;41:ex=01;32:*.cmd=01;32:*.exe=01;32:*.com=01;32:*.btm=01;32:*.bat=
01;32:*.tar=01;31:*.tgz=01;31:*.tbz2=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;
31:*.lzh=01;31:*.
>