ibio/wstrops.c:_IO_wstr_overflow does:
_IO_size_t new_size = 2 * old_wblen + 100;
if (new_size < old_wblen)
return EOF;
new_buf
= (wchar_t *) (*((_IO_strfile *) fp)->_s._allocate_buffer) (new_size
* sizeof (wchar_t));
This allows for overflow in calculating the new size in wide characters, but not for overflow in the multiplication to compute the size in bytes, which could thus overflow and result in a buffer overrun copying data into the new buffer.
(I don't know about the practical exploitability with a stream opened with open_wmemstream. At the doubling before the one resulting in the overflow you'd have buffers of (nearly) 1/4 and 1/2 of the address space or more allocated simultaneously, so it needs to be possible to allocate 3/4 of the address space in those two contiguous regions in order to get to the point where the overflow occurs.)
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, master has been updated
via bdf1ff052a8e23d637f2c838fa5642d78fcedc33 (commit)
from 9529611240b612fec59e289673d05f83396aede4 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=bdf1ff052a8e23d637f2c838fa5642d78fcedc33
commit bdf1ff052a8e23d637f2c838fa5642d78fcedc33
Author: Paul Pluzhnikov <ppluzhnikov@google.com>
Date: Sun Feb 22 12:01:47 2015 -0800
Fix BZ #17269 -- _IO_wstr_overflow integer overflow
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 6 ++++++
NEWS | 6 +++---
libio/wstrops.c | 8 +++++++-
3 files changed, 16 insertions(+), 4 deletions(-)