Red Hat Bugzilla – Bug 211484
CVE-2006-4810 texindex buffer overflow
Last modified: 2007-11-30 17:07:27 EST
Miloslav Trmac found a heap overflow in the way texindex handles data from
certain index files.
The texindex utility contains a heap overflow; when the data for a
generated index is larger than 500,000 bytes, an incorrect reallocation
code in readline() allows heap overflow by index lines longer than 400
It looks like the code in readline() of texindex.c has some crazy arithmetic.
char *buffer = linebuffer->buffer;
char *p = linebuffer->buffer;
char *end = p + linebuffer->size;
int c = getc (stream);
if (p == end)
buffer = (char *) xrealloc (buffer, linebuffer->size *= 2);
p += buffer - linebuffer->buffer;
end += buffer - linebuffer->buffer;
linebuffer->buffer = buffer;
It would seem that when p == end, p and end are assigned what could be a random
memory addresses as the location of buffer is likely to change with a realloc
from a size of 200 to 400 bytes. p then proceedes to dump trash on the heap
until the current line ends.
This issue also affects RHEL2 and RHEL3
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.