From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0) Gecko/20020529 Description of problem: When there is only one important hardware capability, then the terminating slash '/' is stored beyond the the end of a malloc()ed block. The bug [fix] is at line 334; the existing overrun occurs at line 356: -----sysdeps/generic/dl-sysdep.c line 332 /* Determine the total size of all strings together. */ if (cnt == 1) total = temp[0].len; /* BUG: forgot +1 */ else { total = (1UL << (cnt - 2)) * (temp[0].len + temp[cnt - 1].len + 2); for (n = 1; n + 1 < cnt; ++n) total += (1UL << (cnt - 3)) * (temp[n].len + 1); } /* The result structure: we use a very compressed way to store the various combinations of capability names. */ *sz = 1 << cnt; result = (struct r_strlenpair *) malloc (*sz * sizeof (*result) + total); if (result == NULL) goto no_memory; if (cnt == 1) { result[0].str = (char *) (result + *sz); result[0].len = temp[0].len + 1; result[1].str = (char *) (result + *sz); result[1].len = 0; cp = __mempcpy ((char *) (result + *sz), temp[0].str, temp[0].len); *cp = '/'; /* OVERRUN here */ ----- Version-Release number of selected component (if applicable): Source is glibc-2.3.1-20021219 How reproducible: Always Steps to Reproduce: 1.Run any program using ld-linux.so.2 on a machine with only one important hardware capability. Total capability of 0x383f9ff, from a i686 (PentiumIII Mobile) seems to be such a box. 2. 3. Actual Results: Terminating '/' is stored beyond the end of a malloc()ed block. Expected Results: Terminating '/' is stored within the malloc()ed block. Additional info:
This has been fixed some time ago in the glibc CVS version and should already be in glibc 2.3.2-27.9.