oss-sec mailing list archives
Re: GStreamer Security Advisory 2024-0003: Orc compiler stack-based buffer overflow
From: Solar Designer <solar () openwall com>
Date: Sun, 28 Jul 2024 16:37:58 +0200
On Fri, Jul 26, 2024 at 01:05:09PM -0700, Alan Coopersmith wrote:
Yes, this came up in the discussion to add asprintf() to POSIX in https://austingroupbugs.net/view.php?id=1496 :Of the above listed implementations, all but GNU libc document that they will set *ptr to NULL on error, while GNU libc explicitly states that you cannot rely on it to do so (and looking at its code, sometimes it does, sometimes it doesn't).and so the standard was written to allow both ways to be conformant. If GNU libc was willing to change that, perhaps the next version of the standard could as well.
I didn't know you contributed to getting this standardized. Thank you! I think glibc should change, but the standard should merely strongly encourage libc's to implement the safer behavior. It shouldn't guarantee it because older glibc systems will remain in use. Alexander
Current thread:
- GStreamer Security Advisory 2024-0003: Orc compiler stack-based buffer overflow Alan Coopersmith (Jul 26)
- Re: GStreamer Security Advisory 2024-0003: Orc compiler stack-based buffer overflow Solar Designer (Jul 26)
- Re: GStreamer Security Advisory 2024-0003: Orc compiler stack-based buffer overflow Alan Coopersmith (Jul 26)
- Re: GStreamer Security Advisory 2024-0003: Orc compiler stack-based buffer overflow Solar Designer (Jul 28)
- Re: GStreamer Security Advisory 2024-0003: Orc compiler stack-based buffer overflow Florian Weimer (Jul 29)
- Re: GStreamer Security Advisory 2024-0003: Orc compiler stack-based buffer overflow Alan Coopersmith (Jul 26)
- Re: GStreamer Security Advisory 2024-0003: Orc compiler stack-based buffer overflow Solar Designer (Jul 26)