public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug other/27348]  New: memcmp reads past end of strings
@ 2006-04-28 11:53 gcc-bugzilla at gcc dot gnu dot org
  2006-04-28 19:06 ` [Bug libmudflap/27348] mudflap produces a bogus error with memcmp that goes over the size pinskia at gcc dot gnu dot org
  0 siblings, 1 reply; 2+ messages in thread
From: gcc-bugzilla at gcc dot gnu dot org @ 2006-04-28 11:53 UTC (permalink / raw)
  To: gcc-bugs



If you use memcmp to compare strings, it does not stop reading when it
finds the terminating null byte of the shortest string, which can
trigger an attempt to read unallocated memory.  I'd recommend
replacing instances of memcmp on strings with strncmp, which won't
attempt to read past the end of the shortest string.

Environment:
System: Linux puffer.diveadx.com 2.6.16-1.2069_FC4smp #1 SMP Tue Mar 28
12:47:32 EST 2006 i686 i686 i386 GNU/Linux
Architecture: i686


host: i686-pc-linux-gnu
build: i686-pc-linux-gnu
target: i686-pc-linux-gnu
configured with: /src/latest/trunk/src/gcc/configure -v
--prefix=/opt/local/latest/trunk --enable-languages=c,c++
--cache-file=.././config.cache --srcdir=/src/latest/trunk/src/gcc

How-To-Repeat:

As an example, build gengtype with mudflap and run it.  It will
detect lots of reads by memcmp past the end of a string.


------- Comment #1 from fnf at specifix dot com  2006-04-28 11:53 -------
Fix:

Heres an example fix for gengtype.c

Index: gengtype.c
===================================================================
RCS file: /cvsroots/latest/src/gcc/gcc/gengtype.c,v
retrieving revision 1.1.1.4
diff -u -r1.1.1.4 gengtype.c
--- gengtype.c  15 Mar 2006 20:17:05 -0000      1.1.1.4
+++ gengtype.c  28 Apr 2006 10:48:11 -0000
@@ -1179,7 +1179,7 @@
       size_t i;
       for (i = 1; i < NUM_BASE_FILES; i++)
        if ((size_t)(slashpos - basename) == strlen (lang_dir_names [i])
-           && memcmp (basename, lang_dir_names[i], strlen (lang_dir_names[i]))
== 0)
+           && strncmp (basename, lang_dir_names[i], strlen
(lang_dir_names[i])) == 0)
           {
             /* It's in a language directory, set that language.  */
             bitmap = 1 << i;
@@ -1272,7 +1272,7 @@
       size_t i;

       for (i = 0; i < NUM_BASE_FILES; i++)
-       if (memcmp (basename, lang_dir_names[i], strlen (lang_dir_names[i])) ==
0
+       if (strncmp (basename, lang_dir_names[i], strlen (lang_dir_names[i]))
== 0
            && basename[strlen(lang_dir_names[i])] == '/')
          return base_files[i];


-- 
           Summary: memcmp reads past end of strings
           Product: gcc
           Version: 4.2.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: other
        AssignedTo: unassigned at gcc dot gnu dot org
        ReportedBy: fnf at specifix dot com
 GCC build triplet: i686-pc-linux-gnu
  GCC host triplet: i686-pc-linux-gnu
GCC target triplet: i686-pc-linux-gnu


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=27348


^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2013-11-10  5:50 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <bug-27348-4@http.gcc.gnu.org/bugzilla/>
2013-11-10  5:50 ` [Bug libmudflap/27348] mudflap produces a bogus error with memcmp that goes over the size pinskia at gcc dot gnu.org
2006-04-28 11:53 [Bug other/27348] New: memcmp reads past end of strings gcc-bugzilla at gcc dot gnu dot org
2006-04-28 19:06 ` [Bug libmudflap/27348] mudflap produces a bogus error with memcmp that goes over the size pinskia at gcc dot gnu dot org

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).