This is the mail archive of the gcc-prs@gcc.gnu.org mailing list for the GCC project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: preprocessor/8055: CPP0 segfault on FreeBSD + PATCH


The following reply was made to PR preprocessor/8055; it has been noted by GNATS.

From: Zack Weinberg <zack@codesourcery.com>
To: ak03@gte.com, Mark Mitchell <mark@codesourcery.com>,
	Neil Booth <neil@daikokuya.co.uk>
Cc: gcc-gnats@gcc.gnu.org, gcc-patches@gcc.gnu.org
Subject: Re: preprocessor/8055: CPP0 segfault on FreeBSD + PATCH
Date: Fri, 27 Sep 2002 12:50:09 -0700

 Thank you for this bug report.  I've reproduced the problem, and
 confirm your analysis.  I'm going to do a complete bootstrap+test
 cycle on a slight modification of your patch (see below) and will
 apply to mainline if successful.
 
 Mark, is this an acceptable patch for 3.2.1?  It's not clear whether
 it's a regression from earlier 3.x, but it has been seen in the wild,
 and the fix is small, self-contained, and obvious.
 
 zw
 
 	* cppmacro.c (stringify_arg): Do not overflow the buffer
 	with the terminating NUL when the argument to be stringified
 	has no tokens.
 	* gcc.dg/cpp/20020927-1.c: New test case.
 
 ===================================================================
 Index: cppmacro.c
 --- cppmacro.c	22 Sep 2002 02:03:17 -0000	1.124
 +++ cppmacro.c	27 Sep 2002 19:48:15 -0000
 @@ -409,6 +409,12 @@ stringify_arg (pfile, arg)
      }
  
    /* Commit the memory, including NUL, and return the token.  */
 +  if ((size_t) (BUFF_LIMIT (pfile->u_buff) - dest) < 1)
 +    {
 +      size_t len_so_far = dest - BUFF_FRONT (pfile->u_buff);
 +      _cpp_extend_buff (pfile, &pfile->u_buff, 1);
 +      dest = BUFF_FRONT (pfile->u_buff) + len_so_far;
 +    }
    len = dest - BUFF_FRONT (pfile->u_buff);
    BUFF_FRONT (pfile->u_buff) = dest + 1;
    return new_string_token (pfile, dest - len, len);
 ===================================================================
 Index: testsuite/gcc.dg/cpp/20020927-1.c
 --- testsuite/gcc.dg/cpp/20020927-1.c	1 Jan 1970 00:00:00 -0000
 +++ testsuite/gcc.dg/cpp/20020927-1.c	27 Sep 2002 19:47:37 -0000
 @@ -0,0 +1,91 @@
 +/* Test case for buffer overflow bug in token stringification.
 +   See PR preprocessor/8055 for details.
 +   Reported by Alexander N. Kabaev <ak03@gte.com>.
 +   Test case written by Zack Weinberg <zack@codesourcery.com>.  */
 +
 +/* { dg-do preprocess } */
 +
 +#define S(x) #x
 +
 +/* Fill up one internal buffer with data.  */
 +S(1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  12345678901234567890123456789012345678901234567890123456789012345)
 +
 +/* When stringify_arg() was called with an empty macro argument, it would
 +   advance the buffer pointer by one but fail to check for running past the
 +   end of the buffer.  We can only know where the end of the buffer is to
 +   within about eight bytes, so do this sixteen times to be sure of hitting
 +   it.  */
 +
 +S()
 +S()
 +S()
 +S()
 +S()
 +S()
 +S()
 +S()
 +S()
 +S()
 +S()
 +S()
 +S()
 +S()
 +S()
 +S()
 +
 +/* Now allocate more memory in the buffer, which should provoke a crash.  */
 +
 +S(abcdefghijklmnopqrstuvwxyz)
 +S(abcdefghijklmnopqrstuvwxyz)
 


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]