This is the mail archive of the gcc-bugs@gcc.gnu.org mailing list for the GCC project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug c/81405] [8 Regression] Buffer overflow when consolidating printing of out-of-order fix-it hints

From: "dmalcolm at gcc dot gnu.org" <gcc-bugzilla at gcc dot gnu dot org>
To: gcc-bugs at gcc dot gnu dot org
Date: Thu, 13 Jul 2017 19:31:15 +0000
Subject: [Bug c/81405] [8 Regression] Buffer overflow when consolidating printing of out-of-order fix-it hints
Auto-submitted: auto-generated
References: <bug-81405-4@http.gcc.gnu.org/bugzilla/>

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=81405

--- Comment #3 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
Author: dmalcolm
Date: Thu Jul 13 19:30:42 2017
New Revision: 250187

URL: https://gcc.gnu.org/viewcvs?rev=250187&root=gcc&view=rev
Log:
diagnostics: fix crash when consolidating out-of-order fix-it hints (PR
c/81405)

PR c/81405 identifies a crash when printing fix-it hints from
-Wmissing-braces when there are excess elements.

The fix-it hints are bogus (which I've filed separately as PR c/81432),
but they lead to a crash within the fix-it consolidation logic I added
in r247548, in line_corrections::add_hint.

The root cause is that some of the fix-it hints are out-of-order
with respect to the column numbers they affect, which can lead to negative
values when computing the gap between the fix-it hints, leading to bogus
memcpy calls that generate out-of-bounds buffer accesses.

The fix is to sort the fix-it hints after filtering them, ensuring that
the gap >= 0.  The patch also adds numerous assertions to the code, both
directly, and by moving the memcpy calls and their args behind
interfaces (themselves containing gcc_assert).

This fixes the crash; it doesn't fix the bug in -Wmissing-braces that
leads to the bogus hints.

gcc/ChangeLog:
        PR c/81405
        * diagnostic-show-locus.c (fixit_cmp): New function.
        (layout::layout): Sort m_fixit_hints.
        (column_range::column_range): Assert that the values are valid.
        (struct char_span): New struct.
        (correction::overwrite): New method.
        (struct source_line): New struct.
        (line_corrections::add_hint): Add assertions.  Reimplement memcpy
        calls in terms of classes source_line and char_span, and
        correction::overwrite.
        (selftest::test_overlapped_fixit_printing_2): New function.
        (selftest::diagnostic_show_locus_c_tests): Call it.

gcc/testsuite/ChangeLog:
        PR c/81405
        * gcc.dg/Wmissing-braces-fixits.c: Add coverage for PR c/81405.  */


Modified:
    trunk/gcc/ChangeLog
    trunk/gcc/diagnostic-show-locus.c
    trunk/gcc/testsuite/ChangeLog
    trunk/gcc/testsuite/gcc.dg/Wmissing-braces-fixits.c

References:
- [Bug c/81405] New: [8 Regression] Invalid write of size 2 in line_corrections::add_hint(fixit_hint const*) (diagnostic-show-locus.c:1514)
  - From: marxin at gcc dot gnu.org

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]