Stories
Slash Boxes
Comments
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

use Perl Log In

Log In

[ Create a new account ]

Aristotle (5147)

Aristotle
  pagaltzis@gmx.de
http://plasmasturm.org/

Blah blah blah blah blah [technorati.com]

Journal of Aristotle (5147)

Wednesday June 06, 2007
11:16 AM

The blind leading the blind

[ #33448 ]

This is a tale of an integer overflow vulnerability (paraphrased for the purposes of the tale, as are all following snippets):

dest = calloc(EXPR, sizeof(char));
/* where EXPR is a calculation that is never checked for overflow */

Of course, the maintainers of the software in question are studious and busy types and they would not let this go unfixed for long – they instituted a check to make sure that such a thing would never happen again:

int size;

size = EXPR;

if (size > INT_MAX || size <= 0) {
    return NULL;
}

dest = calloc(size, sizeof(char));

Marvelous! Now the code is safe…

Err, right. Undaunted and unphased by having made a mistake, they sagely nodded when they learned of it, and proceeded to implement a fix that would rid the world of this evil for good:

float size;

size = PARTIAL_EXPR_1;
size *= PARTIAL_EXPR_2;
size += PARTIAL_EXPR_3;

if (size > INT_MAX || size <= 0) {
    return NULL;
}

dest = calloc((int)size, sizeof(char));

And the world was a safer pl… err… I mean: and when they also got rid of floating point round-offs, the world became a safer pla…

OK, people, enough of the fairy tales. How do these people even come up with this stuff?!? Testing an integer for whether it’s greater than INT_MAX ?! A float to calculate the length of a string!? I mean… I am… when I…

You can’t even parody this stuff.

This is bogosity as it belongs on DailyWTF, not into one of the most widely deployed codebases on the internet that is backed by several of the biggest corporations in IT. Please, please, someone tell me how PHP got to be as big as it is?

P.S.: oh yeah, and the current guard clause looks like this:

int charsize = sizeof(char);

/* still the same float-based calculation here */

if ((size > INT_MAX || size <= 0) || ((size * charsize) > INT_MAX || (size * charsize) <= 0)) {
    return NULL;
}

Portability is important, after all.

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
 Full
 Abbreviated
 Hidden
More | Login | Reply
Loading... please wait.
  • This is fun. It continues on...

    This one [php.net] looks like they found a few more overflows. Its all OK now.

    Oops! [php.net] Broke it again.

  • int charsize = sizeof(char);
    The only* thing in C that they could assume .... and they didn't assume it ....
    But really, this is just terrible. Where are all the decent developers ?

    *well almost.
    • Hell if I know. “Terrible” doesn’t even begin to describe it. If I hadn’t seen the CVS diffs with my own eyes, I would have thought it a joke. Nobody can be so comically incompetent, right? Turns out, yes they can be.