[Mono-bugs] [Bug 59552][Cri] New - Integer overflow in allocating strings
bugzilla-daemon@bugzilla.ximian.com
bugzilla-daemon@bugzilla.ximian.com
Thu, 3 Jun 2004 09:37:48 -0400 (EDT)
Please do not reply to this email- if you want to comment on the bug, go to the
URL shown below and enter your comments there.
Changed by sebastien@ximian.com.
http://bugzilla.ximian.com/show_bug.cgi?id=59552
--- shadow/59552 2004-06-03 09:37:48.000000000 -0400
+++ shadow/59552.tmp.10525 2004-06-03 09:37:48.000000000 -0400
@@ -0,0 +1,58 @@
+Bug#: 59552
+Product: Mono: Runtime
+Version: unspecified
+OS: All
+OS Details:
+Status: NEW
+Resolution:
+Severity:
+Priority: Critical
+Component: misc
+AssignedTo: mono-bugs@ximian.com
+ReportedBy: sebastien@ximian.com
+QAContact: mono-bugs@ximian.com
+TargetMilestone: ---
+URL:
+Cc:
+Summary: Integer overflow in allocating strings
+
+Description of Problem:
+There is a possible integer overflow in allocating strings. Really bad
+since someone can exploit this from managed code.
+
+
+Steps to reproduce the problem:
+1. Compile the following source code
+
+using System;
+
+public class Pad {
+ static void Main (string[] args)
+ {
+ String s = String.Empty;
+ Console.WriteLine (s.PadLeft (Int32.Parse (args [0])).Length);
+ }
+}
+
+2. Execute it with a big integer (like Int32.MaxValue) as a parameter
+
+
+Actual Results:
+Mono hangs.
+
+
+Expected Results:
+A OutOfMemoryException should be thrown (because we can't allocate a string
+that long anyway).
+
+
+How often does this happen?
+Always
+
+
+Additional Information:
+The string "object" is created with the specified length. However the
+memory allocated is much smaller (e.g. 10 bytes) because of the overflow.
+Padding the string means that we're writing the padding char in memory.
+
+See attached patch.