* Andrew Makhorin <[EMAIL PROTECTED]> [2007-09-11 10:32]: > > static void > > xvprintf (const char *fmt, va_list arg) > > { > > char buf[4000 + 1]; > > vsprintf (buf, fmt, arg); > > xassert (strlen (buf) < sizeof (buf)); /* here! */ > > xputs (buf); > > return; > > } > > > The assertion checks the length of the string in the current buffer > > AFTER having written it there. Too late, and ineffective anyway. > > However, this is not a bug, since buf cannot overflow; xvprintf is > not available on api level neither directly nor indirectly and used > internally only by glpk routines, which do not output messages long > enough to cause the overflow.
I am a bit confused here: xvprintf is called by xprintf in src/glplib05.c. The xprintf function is actually available in the public API through _glp_lib_xprintf. It would then be possible to write a malicious program linked against libglpk that would exploit the buffer overflow vulnerability described in this bug report. Please, tell me whether I am wrong or not. -- Rafael -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]