Boost C++ Libraries: Ticket #6701: integer overflows in ordered_malloc() https://svn.boost.org/trac10/ticket/6701 <p> Consider pool::ordered_malloc(size_type n). </p> <blockquote> <p> const size_type total_req_size = n * requested_size; </p> </blockquote> <p> Given a large n, total_req_size will wrap around to a small integer. The allocated memory would be smaller than expected, leading to a potential buffer overflow. </p> en-us Boost C++ Libraries /htdocs/site/boost.png https://svn.boost.org/trac10/ticket/6701 Trac 1.4.3 Xi Wang <xi.wang@…> Sun, 18 Mar 2012 02:09:24 GMT attachment set https://svn.boost.org/trac10/ticket/6701 https://svn.boost.org/trac10/ticket/6701 <ul> <li><strong>attachment</strong> → <span class="trac-field-new">pool.patch</span> </li> </ul> <p> fix integer overflows in pool::ordered_malloc </p> Ticket edupuis Thu, 03 May 2012 16:48:12 GMT owner, status changed https://svn.boost.org/trac10/ticket/6701#comment:1 https://svn.boost.org/trac10/ticket/6701#comment:1 <ul> <li><strong>owner</strong> changed from <span class="trac-author">Chris Newbold</span> to <span class="trac-author">edupuis</span> </li> <li><strong>status</strong> <span class="trac-field-old">new</span> → <span class="trac-field-new">assigned</span> </li> </ul> Ticket edupuis Fri, 04 May 2012 19:31:30 GMT <link>https://svn.boost.org/trac10/ticket/6701#comment:2 </link> <guid isPermaLink="false">https://svn.boost.org/trac10/ticket/6701#comment:2</guid> <description> <p> There are many other overflows in class pool that needs to be fixed. </p> </description> <category>Ticket</category> </item> <item> <dc:creator>edupuis</dc:creator> <pubDate>Fri, 04 May 2012 20:35:30 GMT</pubDate> <title>status changed; resolution set https://svn.boost.org/trac10/ticket/6701#comment:3 https://svn.boost.org/trac10/ticket/6701#comment:3 <ul> <li><strong>status</strong> <span class="trac-field-old">assigned</span> → <span class="trac-field-new">closed</span> </li> <li><strong>resolution</strong> → <span class="trac-field-new">fixed</span> </li> </ul> <p> (In <a class="changeset" href="https://svn.boost.org/trac10/changeset/78326" title="Clamped value of parameters 'next_size' and 'max_size' (which controls ...">[78326]</a>) Clamped value of parameters 'next_size' and 'max_size' (which controls the number of memory chunks to allocate) such that when computing the number of bytes that must be allocated, this number of bytes never overflows a 'size_type'. This fixes <a class="new ticket" href="https://svn.boost.org/trac10/ticket/6701" title="#6701: Bugs: integer overflows in ordered_malloc() (new)">#6701</a>, in a different manner than the submitted patch. </p> Ticket edupuis Mon, 21 May 2012 06:00:00 GMT status changed; resolution deleted https://svn.boost.org/trac10/ticket/6701#comment:4 https://svn.boost.org/trac10/ticket/6701#comment:4 <ul> <li><strong>status</strong> <span class="trac-field-old">closed</span> → <span class="trac-field-new">reopened</span> </li> <li><strong>resolution</strong> <span class="trac-field-deleted">fixed</span> </li> </ul> Ticket edupuis Mon, 16 Jul 2012 20:02:28 GMT owner, status, type changed https://svn.boost.org/trac10/ticket/6701#comment:5 https://svn.boost.org/trac10/ticket/6701#comment:5 <ul> <li><strong>owner</strong> changed from <span class="trac-author">edupuis</span> to <span class="trac-author">John Maddock</span> </li> <li><strong>status</strong> <span class="trac-field-old">reopened</span> → <span class="trac-field-new">new</span> </li> <li><strong>type</strong> <span class="trac-field-old">Patches</span> → <span class="trac-field-new">Bugs</span> </li> </ul> <p> <a class="ext-link" href="https://svn.boost.org/svn/boost/sandbox/pool"><span class="icon">​</span>https://svn.boost.org/svn/boost/sandbox/pool</a> at revision 79460 contains a solution for tickets <a class="new ticket" href="https://svn.boost.org/trac10/ticket/3789" title="#3789: Bugs: boost::object_pool::free() is very slow. (new)">#3789</a>, <a class="new ticket" href="https://svn.boost.org/trac10/ticket/5902" title="#5902: Bugs: Division by zero when requesting null sized buffers (new)">#5902</a>, <a class="new ticket" href="https://svn.boost.org/trac10/ticket/6561" title="#6561: Bugs: pool.free() crashes if given a null pointer (new)">#6561</a>, <a class="new ticket" href="https://svn.boost.org/trac10/ticket/6610" title="#6610: Feature Requests: customizing boost::pool/boost::object_pool via template parameter for ... (new)">#6610</a>, <a class="new ticket" href="https://svn.boost.org/trac10/ticket/6701" title="#6701: Bugs: integer overflows in ordered_malloc() (new)">#6701</a>, <a class="closed ticket" href="https://svn.boost.org/trac10/ticket/6718" title="#6718: Bugs: Missing images (closed: fixed)">#6718</a>, <a class="new ticket" href="https://svn.boost.org/trac10/ticket/6865" title="#6865: Feature Requests: pool.get_size() (new)">#6865</a> and <a class="new ticket" href="https://svn.boost.org/trac10/ticket/6867" title="#6867: Bugs: Unclear behavior of parameter 'max_size' (new)">#6867</a>. Related test cases are also present. </p> <p> <a class="ext-link" href="https://svn.boost.org/svn/boost/sandbox/pool"><span class="icon">​</span>https://svn.boost.org/svn/boost/sandbox/pool</a> at revision 79460 does <strong>not</strong> contain any other new features or modifications other than those related to the above tickets. </p> <p> Boost.Pool currently has no maintainer and is thus orphaned. </p> Ticket Denis Arnaud Fri, 20 Jul 2012 14:36:48 GMT <link>https://svn.boost.org/trac10/ticket/6701#comment:6 </link> <guid isPermaLink="false">https://svn.boost.org/trac10/ticket/6701#comment:6</guid> <description> <p> Would it be possible to apply that patch on the release branch (as well as on the trunk)? So, the milestone could become 1.51, if I understand correctly. </p> <p> Note that that security/vulnerability issue is tracked by the following page: <a class="ext-link" href="http://www.openwall.com/lists/oss-security/2012/06/07/13"><span class="icon">​</span>http://www.openwall.com/lists/oss-security/2012/06/07/13</a> </p> <p> Reference for <a class="missing wiki">Fedora/RedHat</a>/CentOS: <a class="ext-link" href="https://bugzilla.redhat.com/show_bug.cgi?id=828856"><span class="icon">​</span>https://bugzilla.redhat.com/show_bug.cgi?id=828856</a> </p> </description> <category>Ticket</category> </item> <item> <dc:creator>Marshall Clow</dc:creator> <pubDate>Fri, 20 Jul 2012 17:11:28 GMT</pubDate> <title/> <link>https://svn.boost.org/trac10/ticket/6701#comment:7 </link> <guid isPermaLink="false">https://svn.boost.org/trac10/ticket/6701#comment:7</guid> <description> <p> Replying to <a class="ticket" href="https://svn.boost.org/trac10/ticket/6701#comment:4" title="Comment 4">edupuis</a>: </p> <p> I'm curious why this ticket was reopened. Did <a class="changeset" href="https://svn.boost.org/trac10/changeset/78326" title="Clamped value of parameters 'next_size' and 'max_size' (which controls ...">[78326]</a> not fix this problem? </p> <p> All I see is a notice that the ticket has been reopened. </p> <p> To prevent confusion like this, a test that demonstrates the problem would be useful. </p> </description> <category>Ticket</category> </item> <item> <dc:creator>Denis Arnaud</dc:creator> <pubDate>Fri, 20 Jul 2012 18:08:04 GMT</pubDate> <title/> <link>https://svn.boost.org/trac10/ticket/6701#comment:8 </link> <guid isPermaLink="false">https://svn.boost.org/trac10/ticket/6701#comment:8</guid> <description> <p> Replying to <a class="ticket" href="https://svn.boost.org/trac10/ticket/6701#comment:7" title="Comment 7">marshall</a>: </p> <blockquote class="citation"> <p> Replying to <a class="ticket" href="https://svn.boost.org/trac10/ticket/6701#comment:4" title="Comment 4">edupuis</a>: </p> <p> I'm curious why this ticket was reopened. Did <a class="changeset" href="https://svn.boost.org/trac10/changeset/78326" title="Clamped value of parameters 'next_size' and 'max_size' (which controls ...">[78326]</a> not fix this problem? </p> </blockquote> <p> <a class="changeset" href="https://svn.boost.org/trac10/changeset/78326" title="Clamped value of parameters 'next_size' and 'max_size' (which controls ...">[78326]</a> fixed this problem... but only within the sandbox branch :( So, the fix/patch needs to be applied to both the trunk and release branches. </p> <p> Hope it clarifies. </p> </description> <category>Ticket</category> </item> <item> <author>Petr Machata <pmachata@…></author> <pubDate>Tue, 02 Dec 2014 14:57:53 GMT</pubDate> <title/> <link>https://svn.boost.org/trac10/ticket/6701#comment:9 </link> <guid isPermaLink="false">https://svn.boost.org/trac10/ticket/6701#comment:9</guid> <description> <p> I just checked the master branch (a038658 in particular), and the fix is not applied. Is there a reason not to push this to master? In Fedora we have kept lugging the patch along for years, it would be really nice to be able to retire it. Thank you. </p> </description> <category>Ticket</category> </item> <item> <dc:creator>anonymous</dc:creator> <pubDate>Fri, 17 Jul 2015 10:01:02 GMT</pubDate> <title/> <link>https://svn.boost.org/trac10/ticket/6701#comment:10 </link> <guid isPermaLink="false">https://svn.boost.org/trac10/ticket/6701#comment:10</guid> <description> <p> Still not fixed on master. </p> </description> <category>Ticket</category> </item> <item> <author>jwakely <jwakely.boost@…></author> <pubDate>Fri, 17 Jul 2015 11:17:31 GMT</pubDate> <title>attachment set https://svn.boost.org/trac10/ticket/6701 https://svn.boost.org/trac10/ticket/6701 <ul> <li><strong>attachment</strong> → <span class="trac-field-new">boost-1.58.0-pool.patch</span> </li> </ul> <p> Updated patch against 1.58.0, fixing shadowing warning. </p> Ticket jwakely <jwakely.boost@…> Fri, 17 Jul 2015 15:22:02 GMT attachment set https://svn.boost.org/trac10/ticket/6701 https://svn.boost.org/trac10/ticket/6701 <ul> <li><strong>attachment</strong> → <span class="trac-field-new">boost-1.58.0-pool.2.patch</span> </li> </ul> <p> *Correct* patch against 1.58.0, fixing shadowing warning. </p> Ticket jwakely <jwakely.boost@…> Fri, 17 Jul 2015 15:23:03 GMT <link>https://svn.boost.org/trac10/ticket/6701#comment:11 </link> <guid isPermaLink="false">https://svn.boost.org/trac10/ticket/6701#comment:11</guid> <description> <p> The first patch I attached earlier today was the wrong version, which doesn't build, sorry. The second one is the right version of the file that I'm actually using here. </p> </description> <category>Ticket</category> </item> <item> <author>g.gupta@…</author> <pubDate>Thu, 20 Aug 2015 08:45:54 GMT</pubDate> <title/> <link>https://svn.boost.org/trac10/ticket/6701#comment:12 </link> <guid isPermaLink="false">https://svn.boost.org/trac10/ticket/6701#comment:12</guid> <description> <p> Is this fix applied to trunk code ? </p> </description> <category>Ticket</category> </item> <item> <author>Jonathan Wakely <jwakely.boost@…></author> <pubDate>Thu, 20 Aug 2015 09:17:11 GMT</pubDate> <title/> <link>https://svn.boost.org/trac10/ticket/6701#comment:13 </link> <guid isPermaLink="false">https://svn.boost.org/trac10/ticket/6701#comment:13</guid> <description> <p> Replying to <a class="ticket" href="https://svn.boost.org/trac10/ticket/6701#comment:12" title="Comment 12">g.gupta@…</a>: </p> <blockquote class="citation"> <p> Is this fix applied to trunk code ? </p> </blockquote> <p> No. </p> </description> <category>Ticket</category> </item> </channel> </rss>