[PATCH] fix buffer overrun in 20051113-1.c

[Nathan Froyd <froydnj at codesourcery dot com>]

The attached patch fixes an out-of-bounds buffer access problem in
gcc.c-torture/execute/20051113-1.c.  We noticed the problem on VxWorks
targets when running RTP tests (roughly, kernel modules).

The problem is that we have the following definitions:

typedef struct
{
  short a;  
  unsigned short b;
  unsigned short c;
  unsigned long long Count;
  long long Count2;
} __attribute__((packed)) Struct1;

typedef struct
{
  short a;
  unsigned short b;
  unsigned short c;
  unsigned long long d;
  long long e;
  long long f;
} __attribute__((packed)) Struct2;

typedef union
{
  Struct1 a;
  Struct2 b;
} Union;

typedef struct
{
  int Count;
  Union List[0];
} __attribute__((packed)) Struct3;

Note that Struct2 is just slightly longer than Struct1.  We then do:

  Struct3 *p = malloc (sizeof (int) + 3 * sizeof(Struct1));
  memset(p, 0, sizeof(int) + 3*sizeof(Struct1));

which allocates too little space for 'p' and therefore means that we
start writing off the end of the array:

  p->List[0].a.Count2 = 555;
  p->List[1].a.Count2 = 999;
  p->List[2].a.Count2 = 0x101010101LL;

thereby presumably corrupting data structures at the end of the
allocated memory chunk.

The patch simply s/Struct1/Union/ to ensure that we allocate the proper
amount of memory and avoid scribbling on memory we don't own.  I imagine
this hasn't been noticed on other platforms because the process teardown
procedures don't involve directly free()'ing allocated blocks, whereas
on VxWorks RTPs, things are a bit trickier.

Bootstrapped and regtested on x86_64-unknown-linux-gnu.  20051113-1.c on
VxWorks targets now passes as well.  OK to commit?

-Nathan

gcc/testsuite/
2007-06-26  Nathan Froyd  <froydnj@codesourcery.com>

	* gcc.c-torture/execute/20051113-1.c (main): Use the correct type
	when allocating and initializing a flexible array.

Attachment: 20051113-1.patch
Description: Text document