preprocessor/9514: tradcpp0 dumps core on binary data

Alexander N. Kabaev ak03@gte.com
Thu Jan 30 20:26:00 GMT 2003 

>Number:         9514
>Category:       preprocessor
>Synopsis:       tradcpp0 dumps core on binary data
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    unassigned
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Jan 30 20:26:00 UTC 2003
>Closed-Date:
>Last-Modified:
>Originator:     Alexander N. Kabaev
>Release:        3.2.2 20030106 (prerelease)
>Organization:
FreeBSD.ORG
>Environment:
System: FreeBSD ork.gte.com 4.7-STABLE FreeBSD 4.7-STABLE #3: Tue Jan 28 11:09:15 EST 2003 ak03@ork.gte.com:/usr/src/sys/compile/KAN i386


	
host: i386-portbld-freebsd4.7
build: i386-portbld-freebsd4.7
target: i386-portbld-freebsd4.7
configured with: ./..//gcc-3.2.1/configure --disable-nls --with-gnu-as --with-gnu-ld --with-gxx-include-dir=/usr/local/lib/gcc-lib/i386-portbld-freebsd4.7/3.2.1/include/g++-v3 --with-system-zlib --includedir=/usr/local/lib/gcc-lib/i386-portbld-freebsd4.7/3.2.1/include/Java --disable-libgcj --disable-shared --prefix=/usr/local i386-portbld-freebsd4.7
>Description:
	When given a data with embbedded '\0' before the first '\r' occurrentce,
	tradcpp0 will dump core trying to dereference a null pointer.

	The following code in fixup_newlines function is problematic:

  p = (U_CHAR *) strchr ((const char *) fp->buf, '\r');
  *end = '\0';
  if (p == end)
    return;

  if (p > fp->buf && p[-1] == '\n')
    p--;
  q = p;
  while (p < end)
    switch (*p)
          ^^^^^ Crash happens here.

	With null character before the first '\r', strchr can return NULL,
	causing the crash later.
	
	Preprocessing binary data is questionable activity, but I think
	preprocessor should handle these mistakes gracefully.

>How-To-Repeat:
       tradcpp0 /etc on any system which allow directory opens (i.e. any BSD system)

>Fix:
	
Index: tradcpp.c
===================================================================
RCS file: /usr/ncvs/src/contrib/gcc/tradcpp.c,v
retrieving revision 1.1.1.5
diff -u -r1.1.1.5 tradcpp.c
--- tradcpp.c	4 Dec 2002 15:40:06 -0000	1.1.1.5
+++ tradcpp.c	30 Jan 2003 20:13:45 -0000
@@ -2605,7 +2605,7 @@
 
   end = fp->buf + fp->length;
   *end = '\r';
-  p = (U_CHAR *) strchr ((const char *) fp->buf, '\r');
+  p = (U_CHAR *) memchr ((const char *) fp->buf, '\r', fp->length + 1);
   *end = '\0';
   if (p == end)
     return;
>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the Gcc-prs mailing list