[Bug bootstrap/12490] New: buffer overflow in scan-decls.c (bootstrap fails)

[Bug bootstrap/12490] New: buffer overflow in scan-decls.c (bootstrap fails)

[tjko at iki dot fi]

PLEASE REPLY TO gcc-bugzilla@gcc.gnu.org ONLY, *NOT* gcc-bugs@gcc.gnu.org.

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=12490

           Summary: buffer overflow in scan-decls.c (bootstrap fails)
           Product: gcc
           Version: 3.3.1
            Status: UNCONFIRMED
          Severity: critical
          Priority: P2
         Component: bootstrap
        AssignedTo: unassigned at gcc dot gnu dot org
        ReportedBy: tjko at iki dot fi
                CC: gcc-bugs at gcc dot gnu dot org
  GCC host triplet: sparc-sun-solaris2.9
GCC target triplet: sparc-sun-solaris2.9

Apparently recent patches from Sun make some changes to system
headers in Solaris 9, causing fix-header to segfault when doing
"make bootstrap".


How to reproduce (on Solaris 9 with latest recommended patches installed,
using gcc-3.3 as bootstrap compiler):

# mkdir objdir; cd objdir
# ../configure --prefix=/opt/gcc-3.3.1 --enable-languages=c,c++ --disable-nls 
--disable-shared
# make bootstrap
...
if [ -f fixhdr.ready ] ; then \
        true; \
else \
        echo timestamp > fixhdr.ready; \
fi
if [ -f include/fixed ] ; then true; \
else \
  : This line works around a 'make' bug in BSDI 1.1.; \
  FIXPROTO_DEFINES=""; export FIXPROTO_DEFINES; \
  mkinstalldirs="/bin/sh ../../gcc/mkinstalldirs"; \
    export mkinstalldirs; \
  if [ -d /usr/include ] ; then \
    /bin/sh ../../gcc/fixproto include include /usr/include; \
    if [ $? -eq 0 ] ; then true ; else exit 1 ; fi ; \
  else true; fi; \
  echo timestamp > include/fixed; \
fi
fixproto: populating `include'
fix-header: fixing curses.h
Segmentation Fault - core dumped
make[2]: *** [stmp-fixproto] Error 1
make[2]: Leaving directory `/opt/src/gcc/gcc-3.3.1/objdir/gcc'
make[1]: *** [stage1_build] Error 2
make[1]: Leaving directory `/opt/src/gcc/gcc-3.3.1/objdir/gcc'
make: *** [bootstrap] Error 2


After investigating this with gdb, it seems global variable
symbol_table (from fix-header.c) gets overwritten when
extern_C_braces (from scan-decls.c) overflows, if there are
too many nested braces in header files.


Following seems to fix the problem, but this is just a hack
not a real fix, since this might still happen if there are
really many nested braces in some weird header file :)

--- gcc-3.3.1/gcc/scan-decls.c.orig     Thu Oct  2 11:49:15 2003
+++ gcc-3.3.1/gcc/scan-decls.c  Thu Oct  2 11:50:16 2003
@@ -32,7 +32,7 @@
    indicate the (brace nesting levels of) left braces that were
    prefixed by extern "C".  */
 int extern_C_braces_length = 0;
-char extern_C_braces[20];
+char extern_C_braces[200];
 #define in_extern_C_brace (extern_C_braces_length>0)
 
 /* True if the function declaration currently being scanned is

[Bug bootstrap/12490] buffer overflow in scan-decls.c (bootstrap fails)

[ebotcazou at gcc dot gnu dot org]

PLEASE REPLY TO gcc-bugzilla@gcc.gnu.org ONLY, *NOT* gcc-bugs@gcc.gnu.org.

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=12490


ebotcazou at gcc dot gnu dot org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |WAITING
   Target Milestone|---                         |3.3.2


------- Additional Comments From ebotcazou at gcc dot gnu dot org  2003-10-03 03:59 -------
That's really annoying and we should fix it for GCC 3.3.2.

I think your solution is good enough because fixproto will be obsoleted in GCC
3.4 (in particular on Solaris machines). Any chance that you could estimate the
maximum nesting level? I'd like to both have a security margin and put a comment.

Thanks in advance.

[Bug bootstrap/12490] buffer overflow in scan-decls.c (bootstrap fails)

[ebotcazou at gcc dot gnu dot org]

PLEASE REPLY TO gcc-bugzilla@gcc.gnu.org ONLY, *NOT* gcc-bugs@gcc.gnu.org.

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=12490


ebotcazou at gcc dot gnu dot org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         AssignedTo|unassigned at gcc dot gnu   |ebotcazou at gcc dot gnu dot
                   |dot org                     |org
             Status|WAITING                     |ASSIGNED


------- Additional Comments From ebotcazou at gcc dot gnu dot org  2003-10-03 03:59 -------
I'll take care of it.

[Bug bootstrap/12490] buffer overflow in scan-decls.c (bootstrap fails)

[mark at codesourcery dot com]

PLEASE REPLY TO gcc-bugzilla@gcc.gnu.org ONLY, *NOT* gcc-bugs@gcc.gnu.org.

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=12490



------- Additional Comments From mark at codesourcery dot com  2003-10-05 18:29 -------
Subject: Re:  buffer overflow in scan-decls.c
	(bootstrap fails)

On Fri, 2003-10-03 at 23:18, ebotcazou at gcc dot gnu dot org wrote:
> PLEASE REPLY TO gcc-bugzilla@gcc.gnu.org ONLY, *NOT* gcc-bugs@gcc.gnu.org.
> 
> http://gcc.gnu.org/bugzilla/show_bug.cgi?id=12490

This patch is OK.  For extra brownie points, add an error message in the
case that extern_C_braces_length overflows the array bounds, but that's
not necessary if you don't have time.

Thanks,

[Bug bootstrap/12490] buffer overflow in scan-decls.c (bootstrap fails)

[cvs-commit at gcc dot gnu dot org]

PLEASE REPLY TO gcc-bugzilla@gcc.gnu.org ONLY, *NOT* gcc-bugs@gcc.gnu.org.

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=12490



------- Additional Comments From cvs-commit at gcc dot gnu dot org  2003-10-08 12:29 -------
Subject: Bug 12490

CVSROOT:	/cvs/gcc
Module name:	gcc
Changes by:	ebotcazou@gcc.gnu.org	2003-10-08 12:29:28

Modified files:
	gcc            : ChangeLog scan-decls.c 

Log message:
	PR bootstrap/12490
	* scan-decls.c (MAX_EXTERN_C_BRACES): New preprocessor constant
	to define the size of the extern_C_braces array.  Set it to 200.
	(scan_decls): Abort when extern_C_braces_length is out-of-bounds.

Patches:
http://gcc.gnu.org/cgi-bin/cvsweb.cgi/gcc/gcc/ChangeLog.diff?cvsroot=gcc&r1=2.1336&r2=2.1337
http://gcc.gnu.org/cgi-bin/cvsweb.cgi/gcc/gcc/scan-decls.c.diff?cvsroot=gcc&r1=1.32&r2=1.33

[Bug bootstrap/12490] buffer overflow in scan-decls.c (bootstrap fails)

[cvs-commit at gcc dot gnu dot org]

PLEASE REPLY TO gcc-bugzilla@gcc.gnu.org ONLY, *NOT* gcc-bugs@gcc.gnu.org.

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=12490



------- Additional Comments From cvs-commit at gcc dot gnu dot org  2003-10-08 12:33 -------
Subject: Bug 12490

CVSROOT:	/cvs/gcc
Module name:	gcc
Branch: 	gcc-3_3-branch
Changes by:	ebotcazou@gcc.gnu.org	2003-10-08 12:33:49

Modified files:
	gcc            : ChangeLog scan-decls.c 

Log message:
	PR bootstrap/12490
	* scan-decls.c (MAX_EXTERN_C_BRACES): New preprocessor constant
	to define the size of the extern_C_braces array.  Set it to 200.
	(scan_decls): Abort when extern_C_braces_length is out-of-bounds.

Patches:
http://gcc.gnu.org/cgi-bin/cvsweb.cgi/gcc/gcc/ChangeLog.diff?cvsroot=gcc&only_with_tag=gcc-3_3-branch&r1=1.16114.2.773&r2=1.16114.2.774
http://gcc.gnu.org/cgi-bin/cvsweb.cgi/gcc/gcc/scan-decls.c.diff?cvsroot=gcc&only_with_tag=gcc-3_3-branch&r1=1.30&r2=1.30.20.1

[Bug bootstrap/12490] buffer overflow in scan-decls.c

[ebotcazou at gcc dot gnu dot org]

PLEASE REPLY TO gcc-bugzilla@gcc.gnu.org ONLY, *NOT* gcc-bugs@gcc.gnu.org.

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=12490


ebotcazou at gcc dot gnu dot org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|                            |FIXED
            Summary|buffer overflow in scan-    |buffer overflow in scan-
                   |decls.c (bootstrap fails)   |decls.c


------- Additional Comments From ebotcazou at gcc dot gnu dot org  2003-10-08 12:37 -------
Patch applied with Mark's amelioration.