This is the mail archive of the gcc-bugs@gcc.gnu.org mailing list for the GCC project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug lto/41550] Fix security and portability issues in lto-plugin

From: "rguenth at gcc dot gnu dot org" <gcc-bugzilla at gcc dot gnu dot org>
To: gcc-bugs at gcc dot gnu dot org
Date: 31 Oct 2009 13:11:10 -0000
Subject: [Bug lto/41550] Fix security and portability issues in lto-plugin
References: <bug-41550-91@http.gcc.gnu.org/bugzilla/>
Reply-to: gcc-bugzilla at gcc dot gnu dot org


------- Comment #2 from rguenth at gcc dot gnu dot org  2009-10-31 13:11 -------
Some things were fixed.  Still open are

> +/* Pass files generated by the lto-wrapper to the linker. FD is lto-wrapper's
> +   stdout. */
> +
> +static void
> +add_output_files (FILE *f)
> +{
> +  char fname[1000]; /* FIXME: Is this big enough? */

I don't know what sort of strings go there, but if they can be filenames 
with user-controlled components then the GNU Coding Standards say to avoid 
arbitrary limits.

> +      output_files = realloc (output_files, num_output_files * sizeof (char *));
> +      output_files[num_output_files - 1] = strdup (s);

Use xrealloc and xstrdup.  Other places have the same issue with realloc 
or calloc or strdup.


Also there are still asserts that look fishy.

  assert (lto_wrapper_argv);

  temp_obj_dir_name = strdup ("tmp_objectsXXXXXX");
  t = mkdtemp (temp_obj_dir_name);
  assert (t == temp_obj_dir_name);

(see also PR39023)


-- 


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=41550

References:
- [Bug lto/41550] New: Fix security and portability issues in lto-plugin
  - From: dnovillo at gcc dot gnu dot org

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]