[Bug 1259656] [NEW] bc uses uninitialized memory

Kees Cook kees at ubuntu.com
Tue Dec 10 19:23:09 UTC 2013 

Public bug reported:

This is http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=608255 fixed in
later package versions:

bc depends on uninitialized mem:

echo "e(1)" | MALLOC_PERTURB_=1 bc -l
echo "e(1)" | MALLOC_PERTURB_=0 bc -l
2.71828182845904523536

This fixes it:

--- storage.c.orig      2010-12-21 19:43:14.663540110 +0000
+++ storage.c   2010-12-21 19:42:01.392540111 +0000
@@ -99,6 +99,7 @@
    {
       f = &functions[indx];
       f->f_defined = FALSE;
+      f->f_void = FALSE;
       f->f_body = (char *) bc_malloc (BC_START_SIZE);
       f->f_body_size = BC_START_SIZE;
       f->f_code_size = 0;


IMPACT:
"bc" mathlib routines fail when running under the MALLOC_PERTURB_ environment used by some paranoid people.

TEST CASE:
The command 'echo "e(1)" | MALLOC_PERTURB_=1 bc -l' should return '2.71828182845904523536' instead of nothing.

REGRESSION POTENTIAL:
Extremely low -- this fix is included in later package versions and fixes the problem.

** Affects: bc (Ubuntu)
     Importance: Undecided
         Status: Fix Released

** Affects: bc (Ubuntu Precise)
     Importance: Undecided
         Status: New

** Affects: bc (Debian)
     Importance: Unknown
         Status: Unknown

** Bug watch added: Debian Bug tracker #608255
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=608255

** Also affects: bc via
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=608255
   Importance: Unknown
       Status: Unknown

** No longer affects: bc

** Also affects: bc (Debian) via
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=608255
   Importance: Unknown
       Status: Unknown

** Also affects: bc (Ubuntu Precise)
   Importance: Undecided
       Status: New

** Changed in: bc (Ubuntu)
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to bc in Ubuntu.
https://bugs.launchpad.net/bugs/1259656

Title:
  bc uses uninitialized memory

Status in “bc” package in Ubuntu:
  Fix Released
Status in “bc” source package in Precise:
  New
Status in “bc” package in Debian:
  Unknown

Bug description:
  This is http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=608255 fixed
  in later package versions:

  bc depends on uninitialized mem:

  echo "e(1)" | MALLOC_PERTURB_=1 bc -l
  echo "e(1)" | MALLOC_PERTURB_=0 bc -l
  2.71828182845904523536

  This fixes it:

  --- storage.c.orig      2010-12-21 19:43:14.663540110 +0000
  +++ storage.c   2010-12-21 19:42:01.392540111 +0000
  @@ -99,6 +99,7 @@
      {
         f = &functions[indx];
         f->f_defined = FALSE;
  +      f->f_void = FALSE;
         f->f_body = (char *) bc_malloc (BC_START_SIZE);
         f->f_body_size = BC_START_SIZE;
         f->f_code_size = 0;

  
  IMPACT:
  "bc" mathlib routines fail when running under the MALLOC_PERTURB_ environment used by some paranoid people.

  TEST CASE:
  The command 'echo "e(1)" | MALLOC_PERTURB_=1 bc -l' should return '2.71828182845904523536' instead of nothing.

  REGRESSION POTENTIAL:
  Extremely low -- this fix is included in later package versions and fixes the problem.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bc/+bug/1259656/+subscriptions

More information about the foundations-bugs mailing list