[Bug bootstrap/55380] New: All search_line_fast implementations read beyond buffer

public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed

* [Bug bootstrap/55380] New: All search_line_fast implementations read beyond buffer
@ 2012-11-18 15:52 hjl.tools at gmail dot com
  2012-11-19  1:59 ` [Bug bootstrap/55380] " pinskia at gcc dot gnu.org
  2012-12-03 17:20 ` jakub at gcc dot gnu.org
  0 siblings, 2 replies; 3+ messages in thread
From: hjl.tools at gmail dot com @ 2012-11-18 15:52 UTC (permalink / raw)
  To: gcc-bugs


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=55380

             Bug #: 55380
           Summary: All search_line_fast implementations read beyond
                    buffer
    Classification: Unclassified
           Product: gcc
           Version: 4.8.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: bootstrap
        AssignedTo: unassigned@gcc.gnu.org
        ReportedBy: hjl.tools@gmail.com
        Depends on: 54691


Similar to PR 54691, GCC built with -faddress-sanitizer leads
to

==7876== ERROR: AddressSanitizer heap-buffer-overflow on address 0x7f3484513ff0
at pc 0x1e792db bp 0x7fffbed86340 sp 0x7fffbed86338
READ of size 16 at 0x7f3484513ff0 thread T0
    #0 0x1e792da
(/export/build/gnu/gcc-asan/build-x86_64-linux/gcc/cc1+0x1e792da)
0x7f3484513ff0 is located 0 bytes to the right of 4021-byte region
[0x7f3484513040,0x7f3484513ff5)
allocated by thread T0 here:
    #0 0x1f2d48c
(/export/build/gnu/gcc-asan/build-x86_64-linux/gcc/cc1+0x1f2d48c)
    #1 0x1f2609c
(/export/build/gnu/gcc-asan/build-x86_64-linux/gcc/cc1+0x1f2609c)
Shadow byte and word:
  0x1fe6908a27fe: 5
  0x1fe6908a27f8: 00 00 00 00 00 00 05 fb

[hjl@gnu-tools-1 gcc]$ addr2line -e cc1 0x1e792da 
/export/gnu/import/git/sources/gcc/libcpp/lex.c:393
[hjl@gnu-tools-1 gcc]$ 

All search_line_fast implementations read beyond buffer.


^ permalink raw reply	[flat|nested] 3+ messages in thread

* [Bug bootstrap/55380] All search_line_fast implementations read beyond buffer
  2012-11-18 15:52 [Bug bootstrap/55380] New: All search_line_fast implementations read beyond buffer hjl.tools at gmail dot com
@ 2012-11-19  1:59 ` pinskia at gcc dot gnu.org
  2012-12-03 17:20 ` jakub at gcc dot gnu.org
  1 sibling, 0 replies; 3+ messages in thread
From: pinskia at gcc dot gnu.org @ 2012-11-19  1:59 UTC (permalink / raw)
  To: gcc-bugs


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=55380

Andrew Pinski <pinskia at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |RESOLVED
         Resolution|                            |INVALID

--- Comment #1 from Andrew Pinski <pinskia at gcc dot gnu.org> 2012-11-19 01:59:22 UTC ---
>All search_line_fast implementations read beyond buffer.

Yes and this is one of the false positives really.  We might read past the
bounds of an array but it is always on an aligned location and not really
depends on those reads past the bounds.


^ permalink raw reply	[flat|nested] 3+ messages in thread

* [Bug bootstrap/55380] All search_line_fast implementations read beyond buffer
  2012-11-18 15:52 [Bug bootstrap/55380] New: All search_line_fast implementations read beyond buffer hjl.tools at gmail dot com
  2012-11-19  1:59 ` [Bug bootstrap/55380] " pinskia at gcc dot gnu.org
@ 2012-12-03 17:20 ` jakub at gcc dot gnu.org
  1 sibling, 0 replies; 3+ messages in thread
From: jakub at gcc dot gnu.org @ 2012-12-03 17:20 UTC (permalink / raw)
  To: gcc-bugs


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=55380

--- Comment #2 from Jakub Jelinek <jakub at gcc dot gnu.org> 2012-12-03 17:20:01 UTC ---
Author: jakub
Date: Mon Dec  3 17:19:47 2012
New Revision: 194102

URL: http://gcc.gnu.org/viewcvs?root=gcc&view=rev&rev=194102
Log:
    PR bootstrap/55380
    PR other/54691
    * files.c (read_file_guts): Allocate extra 16 bytes instead of
    1 byte at the end of buf.  Pass size + 16 instead of size
    to _cpp_convert_input.
    * charset.c (_cpp_convert_input): Reallocate if there aren't
    at least 16 bytes beyond to.len in the buffer.  Clear 16 bytes
    at to.text + to.len.

Modified:
    trunk/libcpp/ChangeLog
    trunk/libcpp/charset.c
    trunk/libcpp/files.c


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2012-12-03 17:20 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-11-18 15:52 [Bug bootstrap/55380] New: All search_line_fast implementations read beyond buffer hjl.tools at gmail dot com
2012-11-19  1:59 ` [Bug bootstrap/55380] " pinskia at gcc dot gnu.org
2012-12-03 17:20 ` jakub at gcc dot gnu.org

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).