This is the mail archive of the gcc-patches@gcc.gnu.org mailing list for the GCC project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: Fix writing beyond array bounds in codecvt/unshift/char/1.cc

From: Jonathan Wakely <jwakely dot gcc at gmail dot com>
To: Alexander Monakov <amonakov at ispras dot ru>
Cc: Andreas Schwab <schwab at redhat dot com>, gcc-patches at gcc dot gnu dot org, libstdc++ at gcc dot gnu dot org, Benjamin Kosnik <bkoz at redhat dot com>
Date: Thu, 22 Apr 2010 14:38:15 +0100
Subject: Re: Fix writing beyond array bounds in codecvt/unshift/char/1.cc
References: <alpine.LNX.2.00.1004131816450.308@monoid.intra.ispras.ru> <m3fx2zpfpx.fsf@hase.home> <alpine.LNX.2.00.1004221706470.308@monoid.intra.ispras.ru>

On 22 April 2010 14:14, Alexander Monakov wrote:
> [adding libstdc++@gcc.gnu.org to Cc:]
>
> Alexander Monakov <amonakov@ispras.ru> writes:
>> > 'size' definition seemingly does not account for a zero byte, and thus strcpy
>> > call near the end of the test overwrites one byte beyond allocated memory,
>> > which may lead to spurious test failures. ?The patch simply bumps size to 24.
>
> On Tue, 13 Apr 2010, Andreas Schwab wrote:
>
>> Alexander Monakov <amonakov@ispras.ru> writes:
>>
>> > diff --git a/libstdc++-v3/testsuite/22_locale/codecvt/unshift/char/1.cc b/libstdc++-v3/testsuite/22_locale/codecvt/unshift/char/1.cc
>> > index ba417af..8a45efc 100644
>> > --- a/libstdc++-v3/testsuite/22_locale/codecvt/unshift/char/1.cc
>> > +++ b/libstdc++-v3/testsuite/22_locale/codecvt/unshift/char/1.cc
>> > @@ -35,7 +35,7 @@ void test01()
>> > ? ?bool test __attribute__((unused)) = true;
>> > ? ?const char* ? ? ? ? ? ? ?c_lit = "black pearl jasmine tea";
>> > ? ?const char* ? ? ? ? ? ? ?from_next;
>> > - ?int ? ? ? ? ? ? ? ? ? ? ?size = 23;
>> > + ?int ? ? ? ? ? ? ? ? ? ? ?size = 24;
>>
>> How about using strlen(c_lit)?
>>
>> > ? ?char* ? ? ? ? ? ?c_arr = new char[size];
>> > ? ?char* ? ? ? ? ? ? ? ? c_ref = new char[size];
>>
>> I think you rather want to use size+1 for the allocations.
>>
>> Andreas.
>>
>>
>
> I'd rather keep allocations as is, since size is passed as an argument into
> various functions in the test, and we probably want to notice them access one
> element beyond array bounds. ?Thus, I'm changing size to strlen(c_lit) + 1.
>
> OK to commit?
>
> 2010-04-22 ?Alexander Monakov ?<amonakov@ispras.ru>
>
> ? ? ? ?* 22_locale/codecvt/unshift/char/1.cc (test01): Correct definition of size.
>
> diff --git a/libstdc++-v3/testsuite/22_locale/codecvt/unshift/char/1.cc b/libstdc++-v3/testsuite/22_locale/codecvt/unshift/char/1.cc
> index ba417af..6e851ff 100644
> --- a/libstdc++-v3/testsuite/22_locale/codecvt/unshift/char/1.cc
> +++ b/libstdc++-v3/testsuite/22_locale/codecvt/unshift/char/1.cc
> @@ -35,7 +35,7 @@ void test01()
> ? bool test __attribute__((unused)) = true;
> ? const char* ? ? ? ? ?c_lit = "black pearl jasmine tea";
> ? const char* ? ? ? ? ?from_next;
> - ?int ? ? ? ? ? ? ? ? ?size = 23;
> + ?int ? ? ? ? ? ? ? ? ?size = strlen(c_lit) + 1;
> ? char* ? ? ? ? ? ? ? ?c_arr = new char[size];
> ? char* ? ? ? ? ? ? ? ? c_ref = new char[size];
> ? char* ? ? ? ? ? ? ? ? ? ? ? ?to_next;

But now when c_lit+size is passed to cvt->in() and cvt->out() it will
be too large.

I agree with Andreas, allocate size+1, do not change size.

Alternatively, do something like change strcpy to memcpy, so it
doesn't write a NUL.

Follow-Ups:
- Re: Fix writing beyond array bounds in codecvt/unshift/char/1.cc
  - From: Alexander Monakov

References:
- Fix writing beyond array bounds in codecvt/unshift/char/1.cc
  - From: Alexander Monakov
- Re: Fix writing beyond array bounds in codecvt/unshift/char/1.cc
  - From: Andreas Schwab
- Re: Fix writing beyond array bounds in codecvt/unshift/char/1.cc
  - From: Alexander Monakov

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]