buffer overflow in libctf tests

buffer overflow in libctf tests

[Alan Modra]

       * testsuite/libctf-regression/gzrewrite.c (main): Don't overflow
       "a" buffer in "after adding types" check.
       * testsuite/libctf-regression/zrewrite.c (main): Likewise.

diff --git a/libctf/testsuite/libctf-regression/gzrewrite.c b/libctf/testsuite/libctf-regression/gzrewrite.c
index 99722200950..2e679e85bfe 100644
--- a/libctf/testsuite/libctf-regression/gzrewrite.c
+++ b/libctf/testsuite/libctf-regression/gzrewrite.c
@@ -114,7 +114,7 @@ main (int argc, char *argv[])
   if ((b = read_gz ("tmpdir/two.gz", &b_len)) == NULL)
     goto read_err;
 
-  if (memcmp (a, b, b_len) == 0)
+  if (a_len == b_len && memcmp (a, b, b_len) == 0)
     {
       fprintf (stderr, "gzwrites after adding types does not change the dict\n");
       return 1;
diff --git a/libctf/testsuite/libctf-regression/zrewrite.c b/libctf/testsuite/libctf-regression/zrewrite.c
index a88c824b568..5e061f10a5f 100644
--- a/libctf/testsuite/libctf-regression/zrewrite.c
+++ b/libctf/testsuite/libctf-regression/zrewrite.c
@@ -109,7 +109,7 @@ main (int argc, char *argv[])
 
   b = read_file ("tmpdir/two", &b_len);
 
-  if (memcmp (a, b, b_len) == 0)
+  if (a_len == b_len && memcmp (a, b, b_len) == 0)
     {
       fprintf (stderr, "compress_writes after adding types does not change the dict\n");
       return 1;

-- 
Alan Modra
Australia Development Lab, IBM

Re: buffer overflow in libctf tests

[Nick Alcock]

On 24 Apr 2024, Alan Modra outgrape:

>        * testsuite/libctf-regression/gzrewrite.c (main): Don't overflow
>        "a" buffer in "after adding types" check.
>        * testsuite/libctf-regression/zrewrite.c (main): Likewise.

Was I *asleep* when I wrote these?

(And how did this escape the sanitizer checks, valgrind checks etc I
was doing, of which there were many...)

Obviously correct: thank you!