[13076] in bugtraq
Re: procmail / Sendmail - five bugs
daemon@ATHENA.MIT.EDU (Casper Dik)
Thu Dec 23 14:01:15 1999
Message-Id: <199912231435.PAA21815@romulus>
Date: Thu, 23 Dec 1999 15:35:58 +0100
Reply-To: Casper Dik <casper@HOLLAND.SUN.COM>
From: Casper Dik <casper@HOLLAND.SUN.COM>
X-To: Michal Zalewski <lcamtuf@IDS.PL>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Your message of "Thu, 23 Dec 1999 11:55:52 +0100."
<lcamtuf.4.05.9912231116570.518-100000@nimue.ids.pl>
>a) On some glibc 2.0 machines (eg. RedHat), malloc(negative_integer) won't
>result in EINVAL, but with valid pointer, for which malloc_usable_size()
>returns size of 12 bytes. Heap overflows possible? Hmm, at least SEGVs in
>procmail :)
On a pedantic note: it is not possible to call a standard conforming malloc()
with a negative integer; the argument to malloc is unsigned (size_t).
In Solaris, calls to malloc > 2^31-1 can result in memory being returned
of the requested size. Various older releases of Solaris do have problems
at the 2GB barrier, even thgough > 2GB can be available for malloc.
Casper
