CVE-2016-9427

Source
Severity High
Remote Yes
Type Arbitrary code execution
Description
An integer overflow problem has been discovered leading to hep corruption. When calling GC_MALLOC_ATOMIC(0xFFFFFFFFFFFFF2ABull), the expected behavior should be out of memory obviously and return NULL or abort. However, libgc returns a pointer. The caller thought the allocation succeeded and started to write data into heap via the said pointer and thus heap corruption.
The reason is integer overflow in macro OBJ_SZ_TO_BLOCKS in gc_priv.h:1021. (sz) + HBLKSIZE-1 overflows and become a small positive number. After the overflow, libgc allocates a small block of memory and return the pointer.
References
https://github.com/ivmai/bdwgc/issues/135
Notes
This issue is fixed with:
https://github.com/ivmai/bdwgc/commit/4e1a6f9d8f2a49403bbd00b8c8e5324048fb84d4
https://github.com/ivmai/bdwgc/commit/7292c02fac2066d39dd1bcc37d1a7054fd1e32ee
https://github.com/ivmai/bdwgc/commit/552ad0834672fed86ada6430150ef9ebdd3f54d7