MGASA-2016-0013

It was found that float-parsing code used in Mono before 4.2 is derived from code vulnerable to CVE-2009-0689. The issue concerns the 'freelist' array, which is a global array of 16 pointers to 'Bigint'. This array is part of a memory allocation and reuse system which attempts to reduce the number of 'malloc' and 'free' calls. The system allocates blocks in power-of-two sizes, from 2^0 through 2^15, and stores freed blocks of each size in a linked list rooted at the corresponding cell of 'freelist'. The 'Balloc' and 'Bfree' functions which operate this system fail to check if the size parameter 'k' is within the allocated 0..15 range. As a result, a sufficiently large allocation will have k=16 and treat the word immediately after 'freelist' as a pointer to a previously-allocated chunk. The specific results may vary significantly based on the version, platform, and compiler, since they depend on the layout of variables in memory. An attacker who can cause a carefully-chosen string to be converted to a floating-point number can cause a crash and potentially induce arbitrary code execution.