This is the mail archive of the gcc@gcc.gnu.org mailing list for the GCC project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]

mem stomp in cpplib.c?

To: zack at wolery dot cumb dot org
Subject: mem stomp in cpplib.c?
From: Robert Lipe <robertl at sco dot com>
Date: Wed, 5 Jul 2000 10:22:50 -0500
Cc: gcc at gcc dot gnu dot org

This results in cpp coring:

 $ > /tmp/x.c
 $ ./cpp -Amachine\(i386\) -Acpu\(i386\) /tmp/x.c

The offending code looks to be in cpplib.c:1330.

  *answerp = answer;
  len = predicate->val.name.len + 1;
  sym = alloca (len);

  /* Prefix '#' to get it out of macro namespace.  */
  sym[0] = '#';
  memcpy (sym + 1, predicate->val.name.text, len);
  return cpp_lookup (pfile, sym, len);

 error:


'sym' holds 'len' bytes of storage.  We then copy 'len' bytes of storage
starting at 'sym+1'.  So we have a tiny little stack overwrite here.

The obvious thing of adding 1 to the size of the allocated buffer cures
this testcase.

RJL

Follow-Ups:
- Re: mem stomp in cpplib.c?
  - From: Zack Weinberg

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]