From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 89044 invoked by alias); 11 Jul 2019 08:04:05 -0000 Mailing-List: contact gcc-patches-help@gcc.gnu.org; run by ezmlm Precedence: bulk List-Id: List-Archive: List-Post: List-Help: Sender: gcc-patches-owner@gcc.gnu.org Received: (qmail 87854 invoked by uid 89); 11 Jul 2019 08:03:53 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-11.1 required=5.0 tests=BAYES_00,GIT_PATCH_2,GIT_PATCH_3,SPF_NEUTRAL autolearn=ham version=3.3.1 spammy=HX-Languages-Length:1088, UD:Free X-HELO: eggs.gnu.org Received: from eggs.gnu.org (HELO eggs.gnu.org) (209.51.188.92) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Thu, 11 Jul 2019 08:03:51 +0000 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1hlU3Q-0007v2-Dn for gcc-patches@gcc.gnu.org; Thu, 11 Jul 2019 04:03:49 -0400 Received: from rock.gnat.com ([205.232.38.15]:38474) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1hlU3Q-0007uL-55 for gcc-patches@gcc.gnu.org; Thu, 11 Jul 2019 04:03:48 -0400 Received: from localhost (localhost.localdomain [127.0.0.1]) by filtered-rock.gnat.com (Postfix) with ESMTP id DC692561FD; Thu, 11 Jul 2019 04:03:45 -0400 (EDT) Received: from rock.gnat.com ([127.0.0.1]) by localhost (rock.gnat.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id WDjNxKiOdo+7; Thu, 11 Jul 2019 04:03:45 -0400 (EDT) Received: from tron.gnat.com (tron.gnat.com [IPv6:2620:20:4000:0:46a8:42ff:fe0e:e294]) by rock.gnat.com (Postfix) with ESMTP id CBBB356019; Thu, 11 Jul 2019 04:03:45 -0400 (EDT) Received: by tron.gnat.com (Postfix, from userid 4862) id CA5EB6F7; Thu, 11 Jul 2019 04:03:45 -0400 (EDT) Date: Thu, 11 Jul 2019 08:04:00 -0000 From: Pierre-Marie de Rodat To: gcc-patches@gcc.gnu.org Cc: Claire Dross Subject: [Ada] Memory corruption when using formal hashed sets or maps Message-ID: <20190711080345.GA95233@adacore.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="UlVJffcvxoiEqYs2" Content-Disposition: inline User-Agent: Mutt/1.5.23 (2014-03-12) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 205.232.38.15 X-IsSubscribed: yes X-SW-Source: 2019-07/txt/msg00864.txt.bz2 --UlVJffcvxoiEqYs2 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-length: 290 Add a check to avoid causing a buffer overflow when the map is empty Tested on x86_64-pc-linux-gnu, committed on trunk 2019-07-11 Claire Dross gcc/ada/ * libgnat/a-cfhama.adb, libgnat/a-cfhase.adb (Free): Do not reset the Has_Element flag if no element is freed. --UlVJffcvxoiEqYs2 Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="patch.diff" Content-length: 858 --- gcc/ada/libgnat/a-cfhama.adb +++ gcc/ada/libgnat/a-cfhama.adb @@ -509,8 +509,11 @@ is procedure Free (HT : in out Map; X : Count_Type) is begin - HT.Nodes (X).Has_Element := False; - HT_Ops.Free (HT, X); + if X /= 0 then + pragma Assert (X <= HT.Capacity); + HT.Nodes (X).Has_Element := False; + HT_Ops.Free (HT, X); + end if; end Free; ---------------------- --- gcc/ada/libgnat/a-cfhase.adb +++ gcc/ada/libgnat/a-cfhase.adb @@ -760,8 +760,11 @@ is procedure Free (HT : in out Set; X : Count_Type) is begin - HT.Nodes (X).Has_Element := False; - HT_Ops.Free (HT, X); + if X /= 0 then + pragma Assert (X <= HT.Capacity); + HT.Nodes (X).Has_Element := False; + HT_Ops.Free (HT, X); + end if; end Free; ---------------------- --UlVJffcvxoiEqYs2--