X-Recipient: archive-cygwin AT delorie DOT com
X-SWARE-Spam-Status: No, hits=-1.8 required=5.0 	tests=BAYES_00,TW_CP,T_RP_MATCHES_RCVD
X-Spam-Check-By: sourceware.org
Date: 13 Apr 2010 09:47:36 -0000
Message-ID: <20100413094736.22619.qmail@wizard.math.ualberta.ca>
From: John Bowman <bowman AT math DOT ualberta DOT ca>
To: cygwin AT cygwin DOT com
Subject: URGENT: patch to fix buffer overflow in cygwin1.dll in versions 1.7.2 to 1.7.5
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

A serious buffer flow was introduced over 2 years ago (-r1.141 2008/02/14)
when support for wide characters was added. The change below unleashed
this bug, leading to random segmentation faults on forking when using
cygwin 1.7.2 to 1.7.5 (e.g. when running kpsewhich or asymptote):

2009-12-18  Corinna Vinschen  <corinna AT vinschen DOT de>

	* fhandler.h (fhandler_registry::value_name): Convert to wchar_t*.
	* fhandler_registry.cc: Call UNICODE registry functions throughout
	and convert to multibyte using current locale's charset.  Accommodate
	throughout.
	(must_encode): Take wchar_t.
	(encode_regname): Convert from wchar_t *.
	(decode_regname): Convert to wchar_t *.

After a long debugging session, I finally tracked the problem down to a
buffer overflow in cwcsdup. A patch is attached below. See for example

https://www.securecoding.cert.org/confluence/display/seccode/STR33-C.+Size+wide+character+strings+correctly

I recommend releasing a new cygwin1.dll as soon as possible.
As an interim solution, I have applied the patch below and compiled it as
the cygwin1.dll that ships with Asymptote-1.92:

https://sourceforge.net/projects/asymptote/files/asymptote/1.92/asymptote-1.92-setup.exe/download

Regards,

-- John Bowman
University of Alberta

diff -ru cygwin.broken/cygheap.cc cygwin/cygheap.cc
--- cygwin.broken/cygheap.cc	2009-10-03 05:28:04.000000000 -0700
+++ cygwin/cygheap.cc	2010-04-12 05:43:47.640625000 -0700
@@ -363,7 +363,7 @@
 cwcsdup (const PWCHAR s)
 {
   MALLOC_CHECK;
-  PWCHAR p = (PWCHAR) cmalloc (HEAP_STR, wcslen (s) + 1);
+  PWCHAR p = (PWCHAR) cmalloc (HEAP_STR, (wcslen (s) + 1) * sizeof(wchar_t));
   if (!p)
     return NULL;
   wcpcpy (p, s);
@@ -375,7 +375,7 @@
 cwcsdup1 (const PWCHAR s)
 {
   MALLOC_CHECK;
-  PWCHAR p = (PWCHAR) cmalloc (HEAP_1_STR, wcslen (s) + 1);
+  PWCHAR p = (PWCHAR) cmalloc (HEAP_1_STR, (wcslen (s) + 1) * sizeof(wchar_t));
   if (!p)
     return NULL;
   wcpcpy (p, s);

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple