Bug 14461 - preprocessor cause buffer overflow
Summary: preprocessor cause buffer overflow
Status: RESOLVED FIXED
Alias: None
Product: gcc
Classification: Unclassified
Component: preprocessor (show other bugs)
Version: 3.3.3
: P2 normal
Target Milestone: 3.4.0
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2004-03-06 17:57 UTC by Kurata Sayuri
Modified: 2005-07-23 22:49 UTC (History)
1 user (show)

See Also:
Host: i686-pc-linux-gnu
Target: i686-pc-linux-gnu
Build: i686-pc-linux-gnu
Known to work:
Known to fail:
Last reconfirmed:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Kurata Sayuri 2004-03-06 17:57:46 UTC 
Preprocessor allocate buffer using mmap() or malloc() for reading include files
at cppfiles.c / read_include_file().
When using malloc(), the buffer can be NUL-terminated.
But using mmap(), the buffer cannot be NUL-terminated.

Almost implementation of mmap() are NUL-terminated after the mmap()ed file data.
But XFS(SGI's file system) on Linux is different.

So everywhere reading buffer like 'buffer->cur++', must check buffer overflow.
For example, at cpplex.c / _cpp_lex_direct(),
> skipped_white:
+  if( buffer->cur > buffer->rlimit )
+    c = '\0';
+  else
>  c = *buffer->cur++;
>  result->col = CPP_BUF_COLUMN (buffer, buffer->cur);
Comment 1 Andrew Pinski 2004-03-06 18:43:08 UTC 
It is a bug in XFS then because this is behavior which the 3.3.x preprocessor depepended on but this is 
fixed for 3.4.0 by no longer using mmap on a file.
Comment 2 Zack Weinberg 2004-03-06 23:45:18 UTC 
Just to confirm what Andrew said:

The Single Unix Standard *requires* mmap to zero-fill to a page boundary.
Not doing this is a potential security hole.  Report this to the XFS developers
as a critical bug.

GCC 3.4 does not use mmap and will not be affected by the bug.

zw