ssett / gperftools

Automatically exported from code.google.com/p/gperftools
BSD 3-Clause "New" or "Revised" License
0 stars 0 forks source link

GetenvBeforeMain() in sysinfo.cc may cause access violation #644

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
The problem is found using Clang Address Sanitizer.

The following source code:

    const int namelen = strlen(name);
    for (char** p = __environ; *p; p++) {
      if (!memcmp(*p, name, namelen) && (*p)[namelen] == '=')  // it's a match
        return *p + namelen+1;                                 // point after =
    }

may try to read beyond last string inside |__environ| variable, if the 
strlen(*p) < namelen.

The solution is simple:

    const int namelen = strlen(name);
    for (char** p = __environ; *p; p++) {
 +    if (strlen(*p) < namelen) continue;
      if (!memcmp(*p, name, namelen) && (*p)[namelen] == '=')  // it's a match
        return *p + namelen+1;                                 // point after =
    }

Check the length before doing memcmp().

Original issue reported on code.google.com by abys...@gmail.com on 18 Aug 2014 at 5:49

GoogleCodeExporter commented 9 years ago
merged. Thanks.

Original comment by alkondratenko on 19 Aug 2014 at 6:45