java/7830: Off-by-one buffer overruns in fastjar tool

greenrd@hotmail.com greenrd@hotmail.com
Wed Sep 4 15:06:00 GMT 2002 

>Number:         7830
>Category:       java
>Synopsis:       Off-by-one buffer overruns in fastjar tool
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    unassigned
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Sep 04 15:06:00 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator:     greenrd@hotmail.com
>Release:        gcc-3.2
>Organization:
>Environment:
Red Hat Rawhide, with Red Hat's glibc-2.2.90-26
>Description:
The fastjar tool (jar) included with gcc 3.2 has a bug where if a filename being read is the same length as the buffer it is being read into, it neglects to re-malloc the buffer to allow room for the null terminator. If the MALLOC_CHECK_ environment variable is set to 2 this causes the program to abort when it next tries to free and re-malloc the buffer.

The bug was already fixed in one copy of a chunk of code, but not in two other copies.
>How-To-Repeat:
The following shell script reproduces the bug. Expected last line of output:
./jarbug-demo.sh: line 23: [pid] Aborted                 jar tf test.jar


#! /bin/bash

# Echo commands to stdout
set -x

# Ensure that the bug will result in an abort()
export MALLOC_CHECK_=2

# Create some test entries to put in the jar:
# These must be longer than the META-INF entries, which come first, to trigger the bug,
# hence the 000s

mkdir -p test/000000000000000000000000000-a
# Add an entry whose length is 1 longer than the previous one
mkdir -p test/000000000000000000000000000-ab
# Another entry, to let malloc notice the bug
mkdir -p test/000000000000000000000000000-dummy

# Create the test jar, ensuring files are added in sorted order
find test/*|sort|xargs jar cvf test.jar

# List the contents of the test jar - now bug should happen
jar tf test.jar
>Fix:
Apply attached patch
>Release-Note:
>Audit-Trail:
>Unformatted:
----gnatsweb-attachment----
Content-Type: application/octet-stream; name="jartool.c.patch"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="jartool.c.patch"

LS0tIGZhc3RqYXIvamFydG9vbC5vcmlnCTIwMDItMDMtMTggMTE6MDg6NTkuMDAwMDAwMDAwICsw
MDAwCisrKyBmYXN0amFyL2phcnRvb2wuYwkyMDAyLTA5LTA0IDIyOjIxOjEzLjAwMDAwMDAwMCAr
MDEwMApAQCAtMTY1Nyw3ICsxNjU3LDcgQEAKICAgICAgICAgc3RyZnRpbWUoYXNjaWlfZGF0ZSwg
MzAsICIlYSAlYiAlZCAlSDolTTolUyAlWiAlWSIsIHNfdG0pOwogICAgICAgfQogCi0gICAgICBp
ZihmaWxlbmFtZV9sZW4gPCBmbmxlbil7CisgICAgICBpZihmaWxlbmFtZV9sZW4gPCBmbmxlbiAr
IDEpewogICAgICAgICBpZihmaWxlbmFtZSAhPSBOVUxMKQogICAgICAgICAgIGZyZWUoZmlsZW5h
bWUpOwogICAgICAgCkBAIC0xNzc2LDcgKzE3NzYsNyBAQAogICAgICAgICBzdHJmdGltZShhc2Np
aV9kYXRlLCAzMCwgIiVhICViICVkICVIOiVNOiVTICVaICVZIiwgc190bSk7CiAgICAgICB9CiAK
LSAgICAgIGlmKGZpbGVuYW1lX2xlbiA8IGZubGVuKXsKKyAgICAgIGlmKGZpbGVuYW1lX2xlbiA8
IGZubGVuICsgMSl7CiAgICAgICAgIGlmKGZpbGVuYW1lICE9IE5VTEwpCiAgICAgICAgICAgZnJl
ZShmaWxlbmFtZSk7CiAgICAgICAgIAo=

More information about the Gcc-bugs mailing list