From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 27179 invoked by alias); 4 Sep 2002 22:06:01 -0000 Mailing-List: contact gcc-prs-help@gcc.gnu.org; run by ezmlm Precedence: bulk List-Archive: List-Post: List-Help: Sender: gcc-prs-owner@gcc.gnu.org Received: (qmail 27149 invoked by uid 71); 4 Sep 2002 22:06:01 -0000 Resent-Date: 4 Sep 2002 22:06:01 -0000 Resent-Message-ID: <20020904220601.27148.qmail@sources.redhat.com> Resent-From: gcc-gnats@gcc.gnu.org (GNATS Filer) Resent-Cc: gcc-prs@gcc.gnu.org, gcc-bugs@gcc.gnu.org, java-prs@gcc.gnu.org Resent-Reply-To: gcc-gnats@gcc.gnu.org, greenrd@hotmail.com Received: (qmail 25633 invoked by uid 61); 4 Sep 2002 22:01:52 -0000 Message-Id: <20020904220152.25632.qmail@sources.redhat.com> Date: Wed, 04 Sep 2002 15:06:00 -0000 From: greenrd@hotmail.com Reply-To: greenrd@hotmail.com To: gcc-gnats@gcc.gnu.org X-Send-Pr-Version: gnatsweb-2.9.3 (1.1.1.1.2.31) Subject: java/7830: Off-by-one buffer overruns in fastjar tool X-SW-Source: 2002-09/txt/msg00063.txt.bz2 List-Id: >Number: 7830 >Category: java >Synopsis: Off-by-one buffer overruns in fastjar tool >Confidential: no >Severity: non-critical >Priority: low >Responsible: unassigned >State: open >Class: sw-bug >Submitter-Id: net >Arrival-Date: Wed Sep 04 15:06:00 PDT 2002 >Closed-Date: >Last-Modified: >Originator: greenrd@hotmail.com >Release: gcc-3.2 >Organization: >Environment: Red Hat Rawhide, with Red Hat's glibc-2.2.90-26 >Description: The fastjar tool (jar) included with gcc 3.2 has a bug where if a filename being read is the same length as the buffer it is being read into, it neglects to re-malloc the buffer to allow room for the null terminator. If the MALLOC_CHECK_ environment variable is set to 2 this causes the program to abort when it next tries to free and re-malloc the buffer. The bug was already fixed in one copy of a chunk of code, but not in two other copies. >How-To-Repeat: The following shell script reproduces the bug. Expected last line of output: ./jarbug-demo.sh: line 23: [pid] Aborted jar tf test.jar #! /bin/bash # Echo commands to stdout set -x # Ensure that the bug will result in an abort() export MALLOC_CHECK_=2 # Create some test entries to put in the jar: # These must be longer than the META-INF entries, which come first, to trigger the bug, # hence the 000s mkdir -p test/000000000000000000000000000-a # Add an entry whose length is 1 longer than the previous one mkdir -p test/000000000000000000000000000-ab # Another entry, to let malloc notice the bug mkdir -p test/000000000000000000000000000-dummy # Create the test jar, ensuring files are added in sorted order find test/*|sort|xargs jar cvf test.jar # List the contents of the test jar - now bug should happen jar tf test.jar >Fix: Apply attached patch >Release-Note: >Audit-Trail: >Unformatted: ----gnatsweb-attachment---- Content-Type: application/octet-stream; name="jartool.c.patch" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="jartool.c.patch" LS0tIGZhc3RqYXIvamFydG9vbC5vcmlnCTIwMDItMDMtMTggMTE6MDg6NTkuMDAwMDAwMDAwICsw MDAwCisrKyBmYXN0amFyL2phcnRvb2wuYwkyMDAyLTA5LTA0IDIyOjIxOjEzLjAwMDAwMDAwMCAr MDEwMApAQCAtMTY1Nyw3ICsxNjU3LDcgQEAKICAgICAgICAgc3RyZnRpbWUoYXNjaWlfZGF0ZSwg MzAsICIlYSAlYiAlZCAlSDolTTolUyAlWiAlWSIsIHNfdG0pOwogICAgICAgfQogCi0gICAgICBp ZihmaWxlbmFtZV9sZW4gPCBmbmxlbil7CisgICAgICBpZihmaWxlbmFtZV9sZW4gPCBmbmxlbiAr IDEpewogICAgICAgICBpZihmaWxlbmFtZSAhPSBOVUxMKQogICAgICAgICAgIGZyZWUoZmlsZW5h bWUpOwogICAgICAgCkBAIC0xNzc2LDcgKzE3NzYsNyBAQAogICAgICAgICBzdHJmdGltZShhc2Np aV9kYXRlLCAzMCwgIiVhICViICVkICVIOiVNOiVTICVaICVZIiwgc190bSk7CiAgICAgICB9CiAK LSAgICAgIGlmKGZpbGVuYW1lX2xlbiA8IGZubGVuKXsKKyAgICAgIGlmKGZpbGVuYW1lX2xlbiA8 IGZubGVuICsgMSl7CiAgICAgICAgIGlmKGZpbGVuYW1lICE9IE5VTEwpCiAgICAgICAgICAgZnJl ZShmaWxlbmFtZSk7CiAgICAgICAgIAo=