public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug other/27348] New: memcmp reads past end of strings
@ 2006-04-28 11:53 gcc-bugzilla at gcc dot gnu dot org
2006-04-28 19:06 ` [Bug libmudflap/27348] mudflap produces a bogus error with memcmp that goes over the size pinskia at gcc dot gnu dot org
0 siblings, 1 reply; 2+ messages in thread
From: gcc-bugzilla at gcc dot gnu dot org @ 2006-04-28 11:53 UTC (permalink / raw)
To: gcc-bugs
If you use memcmp to compare strings, it does not stop reading when it
finds the terminating null byte of the shortest string, which can
trigger an attempt to read unallocated memory. I'd recommend
replacing instances of memcmp on strings with strncmp, which won't
attempt to read past the end of the shortest string.
Environment:
System: Linux puffer.diveadx.com 2.6.16-1.2069_FC4smp #1 SMP Tue Mar 28
12:47:32 EST 2006 i686 i686 i386 GNU/Linux
Architecture: i686
host: i686-pc-linux-gnu
build: i686-pc-linux-gnu
target: i686-pc-linux-gnu
configured with: /src/latest/trunk/src/gcc/configure -v
--prefix=/opt/local/latest/trunk --enable-languages=c,c++
--cache-file=.././config.cache --srcdir=/src/latest/trunk/src/gcc
How-To-Repeat:
As an example, build gengtype with mudflap and run it. It will
detect lots of reads by memcmp past the end of a string.
------- Comment #1 from fnf at specifix dot com 2006-04-28 11:53 -------
Fix:
Heres an example fix for gengtype.c
Index: gengtype.c
===================================================================
RCS file: /cvsroots/latest/src/gcc/gcc/gengtype.c,v
retrieving revision 1.1.1.4
diff -u -r1.1.1.4 gengtype.c
--- gengtype.c 15 Mar 2006 20:17:05 -0000 1.1.1.4
+++ gengtype.c 28 Apr 2006 10:48:11 -0000
@@ -1179,7 +1179,7 @@
size_t i;
for (i = 1; i < NUM_BASE_FILES; i++)
if ((size_t)(slashpos - basename) == strlen (lang_dir_names [i])
- && memcmp (basename, lang_dir_names[i], strlen (lang_dir_names[i]))
== 0)
+ && strncmp (basename, lang_dir_names[i], strlen
(lang_dir_names[i])) == 0)
{
/* It's in a language directory, set that language. */
bitmap = 1 << i;
@@ -1272,7 +1272,7 @@
size_t i;
for (i = 0; i < NUM_BASE_FILES; i++)
- if (memcmp (basename, lang_dir_names[i], strlen (lang_dir_names[i])) ==
0
+ if (strncmp (basename, lang_dir_names[i], strlen (lang_dir_names[i]))
== 0
&& basename[strlen(lang_dir_names[i])] == '/')
return base_files[i];
--
Summary: memcmp reads past end of strings
Product: gcc
Version: 4.2.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: other
AssignedTo: unassigned at gcc dot gnu dot org
ReportedBy: fnf at specifix dot com
GCC build triplet: i686-pc-linux-gnu
GCC host triplet: i686-pc-linux-gnu
GCC target triplet: i686-pc-linux-gnu
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=27348
^ permalink raw reply [flat|nested] 2+ messages in thread
* [Bug libmudflap/27348] mudflap produces a bogus error with memcmp that goes over the size
2006-04-28 11:53 [Bug other/27348] New: memcmp reads past end of strings gcc-bugzilla at gcc dot gnu dot org
@ 2006-04-28 19:06 ` pinskia at gcc dot gnu dot org
0 siblings, 0 replies; 2+ messages in thread
From: pinskia at gcc dot gnu dot org @ 2006-04-28 19:06 UTC (permalink / raw)
To: gcc-bugs
------- Comment #6 from pinskia at gcc dot gnu dot org 2006-04-28 19:06 -------
Small testcase:
char a[] = "tree.h";
char b[] = "treelang";
int main(void)
{
return memcmp (a, b, strlen(b)) != 0;
}
--
pinskia at gcc dot gnu dot org changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |NEW
Ever Confirmed|0 |1
Last reconfirmed|0000-00-00 00:00:00 |2006-04-28 19:06:46
date| |
Summary|memcmp reads past end of |mudflap produces a bogus
|strings in gengtype |error with memcmp that goes
| |over the size
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=27348
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2013-11-10 5:50 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <bug-27348-4@http.gcc.gnu.org/bugzilla/>
2013-11-10 5:50 ` [Bug libmudflap/27348] mudflap produces a bogus error with memcmp that goes over the size pinskia at gcc dot gnu.org
2006-04-28 11:53 [Bug other/27348] New: memcmp reads past end of strings gcc-bugzilla at gcc dot gnu dot org
2006-04-28 19:06 ` [Bug libmudflap/27348] mudflap produces a bogus error with memcmp that goes over the size pinskia at gcc dot gnu dot org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).