Package: libstdc++6 Version: 4.1.1-21 Severity: important Tags: security See bug #155529 -- this is the same problem referenced by the same advisory: http://cert.uni-stuttgart.de/advisories/calloc.php Severity should probably be higher for a security problem, but I'll set it the same as that original bug.
Basically Big *big = new Big[size] can allocate less than requested but fail to throw an exception, if sizeof(Big) * size overflows. A sample program is attached. On i386, the first allocation correctly succeeds, the second correctly throws an exception (it's trying to allocate ~4GB), and the third appears to allocate successfully but segfaults on access. -- System Information: Debian Release: testing/unstable APT prefers testing APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.17.4 Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Versions of packages libstdc++6 depends on: ii gcc-4.1-base 4.1.1-21 The GNU Compiler Collection (base ii libc6 2.3.6-15 GNU C Library: Shared libraries ii libgcc1 1:4.1.1-21 GCC support library libstdc++6 recommends no packages. -- no debconf information
#include <stdio.h> #include <exception> class Big { public: char big[1000]; }; int main() { int size[3] = { 4294, 4294000, 4296000 }; for (int i=0; i<3; i++) { try { Big *bigs = new Big[size[i]]; printf("%d allocated\n", i); bigs[1234].big[0] = 0; printf("%d tested\n", i); delete[] bigs; } catch(std::exception e) { printf("%d exception\n", i); } } }