[PATCH] Fix several buffer overruns in gcov

Bernd Edlinger bernd.edlinger@hotmail.de
Fri Mar 31 06:25:00 GMT 2017


On 03/31/17 01:27, Nathan Sidwell wrote:
> On 03/30/2017 04:11 PM, Bernd Edlinger wrote:
>> Hi,
>>
>> I'd like to fix a few buffer overruns I have found in the gcov tools.
>> First I noticed that the -x output contains most of the time "ff" bytes,
>> and that when different source files exist in different directories,
>> with same base name the MD5 sum always matches, which results in
>> gcov overwriting the previous result file always, except if -l is given,
>> which makes hashing the file names practically useless.
>>
>> And secondly I wanted to fix potential buffer underflow if a file
>> contains lines with begin with NUL ascii characters, and a out of
>> memory due to always doubling the buffer space, even if the line
>> buffer is not yet filled up.
>>
>>
>> Bootstrapped and reg-tested on x86_64-pc-linux-gnu.
>> Is it OK for trunk?
>
> ok.  Could you put a comment on the buffer reallocation test about NUL
> defense, thanks!
>

Thanks for the quick response!
I added a comment and commited as r246605:

Index: gcc/gcov.c
===================================================================
--- gcc/gcov.c	(revision 246604)
+++ gcc/gcov.c	(revision 246605)
@@ -2167,7 +2167,7 @@
  md5sum_to_hex (const char *sum, char *buffer)
  {
    for (unsigned i = 0; i < 16; i++)
-    sprintf (buffer + (2 * i), "%02x", sum[i]);
+    sprintf (buffer + (2 * i), "%02x", (unsigned char)sum[i]);
  }

  /* Generate an output file name. INPUT_NAME is the canonicalized main
@@ -2216,7 +2216,7 @@
        char md5sum_hex[33];

        md5_init_ctx (&ctx);
-      md5_process_bytes (result, strlen (result), &ctx);
+      md5_process_bytes (src_name, strlen (src_name), &ctx);
        md5_finish_ctx (&ctx, md5sum);
        md5sum_to_hex (md5sum, md5sum_hex);
        free (result);
@@ -2512,14 +2512,20 @@
      {
        size_t len = strlen (string + pos);

-      if (string[pos + len - 1] == '\n')
+      if (len && string[pos + len - 1] == '\n')
  	{
  	  string[pos + len - 1] = 0;
  	  return string;
  	}
        pos += len;
-      string = XRESIZEVEC (char, string, string_len * 2);
-      string_len *= 2;
+      /* If the file contains NUL characters or an incomplete
+	 last line, which can happen more than once in one run,
+	 we have to avoid doubling the STRING_LEN unnecessarily.  */
+      if (pos > string_len / 2)
+	{
+	  string_len *= 2;
+	  string = XRESIZEVEC (char, string, string_len);
+	}
      }

    return pos ? string : NULL;
Index: gcc/ChangeLog
===================================================================
--- gcc/ChangeLog	(revision 246604)
+++ gcc/ChangeLog	(revision 246605)
@@ -1,3 +1,10 @@
+2017-03-31  Bernd Edlinger  <bernd.edlinger@hotmail.de>
+
+	* gcov.c (md5sum_to_hex): Fix output of MD5 hex bytes.
+	(make_gcov_file_name): Use the canonical path name for generating
+	the MD5 value.
+	(read_line): Fix handling of files with ascii null bytes.
+
  2017-03-30  Matthew Fortune  <matthew.fortune@imgtec.com>

  	* config/mips/mips.c (mips_expand_vector_init): Create a const_vector


PS: Could you also please have a look at
https://gcc.gnu.org/ml/gcc-patches/2017-03/msg01434.html


Thanks
Bernd.


More information about the Gcc-patches mailing list