public inbox for gcc-prs@sourceware.org
help / color / mirror / Atom feed
* Re: java/7830: Off-by-one buffer overruns in fastjar tool
@ 2002-09-04 15:40 tromey
0 siblings, 0 replies; 2+ messages in thread
From: tromey @ 2002-09-04 15:40 UTC (permalink / raw)
To: gcc-bugs, gcc-prs, greenrd, java-prs, nobody, tromey
Synopsis: Off-by-one buffer overruns in fastjar tool
Responsible-Changed-From-To: unassigned->tromey
Responsible-Changed-By: tromey
Responsible-Changed-When: Wed Sep 4 15:40:32 2002
Responsible-Changed-Why:
I'm handling this.
State-Changed-From-To: open->closed
State-Changed-By: tromey
State-Changed-When: Wed Sep 4 15:40:32 2002
State-Changed-Why:
Thanks, I'm checking in your fix.
http://gcc.gnu.org/cgi-bin/gnatsweb.pl?cmd=view%20audit-trail&database=gcc&pr=7830
^ permalink raw reply [flat|nested] 2+ messages in thread
* java/7830: Off-by-one buffer overruns in fastjar tool
@ 2002-09-04 15:06 greenrd
0 siblings, 0 replies; 2+ messages in thread
From: greenrd @ 2002-09-04 15:06 UTC (permalink / raw)
To: gcc-gnats
>Number: 7830
>Category: java
>Synopsis: Off-by-one buffer overruns in fastjar tool
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: unassigned
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Wed Sep 04 15:06:00 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator: greenrd@hotmail.com
>Release: gcc-3.2
>Organization:
>Environment:
Red Hat Rawhide, with Red Hat's glibc-2.2.90-26
>Description:
The fastjar tool (jar) included with gcc 3.2 has a bug where if a filename being read is the same length as the buffer it is being read into, it neglects to re-malloc the buffer to allow room for the null terminator. If the MALLOC_CHECK_ environment variable is set to 2 this causes the program to abort when it next tries to free and re-malloc the buffer.
The bug was already fixed in one copy of a chunk of code, but not in two other copies.
>How-To-Repeat:
The following shell script reproduces the bug. Expected last line of output:
./jarbug-demo.sh: line 23: [pid] Aborted jar tf test.jar
#! /bin/bash
# Echo commands to stdout
set -x
# Ensure that the bug will result in an abort()
export MALLOC_CHECK_=2
# Create some test entries to put in the jar:
# These must be longer than the META-INF entries, which come first, to trigger the bug,
# hence the 000s
mkdir -p test/000000000000000000000000000-a
# Add an entry whose length is 1 longer than the previous one
mkdir -p test/000000000000000000000000000-ab
# Another entry, to let malloc notice the bug
mkdir -p test/000000000000000000000000000-dummy
# Create the test jar, ensuring files are added in sorted order
find test/*|sort|xargs jar cvf test.jar
# List the contents of the test jar - now bug should happen
jar tf test.jar
>Fix:
Apply attached patch
>Release-Note:
>Audit-Trail:
>Unformatted:
----gnatsweb-attachment----
Content-Type: application/octet-stream; name="jartool.c.patch"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="jartool.c.patch"
LS0tIGZhc3RqYXIvamFydG9vbC5vcmlnCTIwMDItMDMtMTggMTE6MDg6NTkuMDAwMDAwMDAwICsw
MDAwCisrKyBmYXN0amFyL2phcnRvb2wuYwkyMDAyLTA5LTA0IDIyOjIxOjEzLjAwMDAwMDAwMCAr
MDEwMApAQCAtMTY1Nyw3ICsxNjU3LDcgQEAKICAgICAgICAgc3RyZnRpbWUoYXNjaWlfZGF0ZSwg
MzAsICIlYSAlYiAlZCAlSDolTTolUyAlWiAlWSIsIHNfdG0pOwogICAgICAgfQogCi0gICAgICBp
ZihmaWxlbmFtZV9sZW4gPCBmbmxlbil7CisgICAgICBpZihmaWxlbmFtZV9sZW4gPCBmbmxlbiAr
IDEpewogICAgICAgICBpZihmaWxlbmFtZSAhPSBOVUxMKQogICAgICAgICAgIGZyZWUoZmlsZW5h
bWUpOwogICAgICAgCkBAIC0xNzc2LDcgKzE3NzYsNyBAQAogICAgICAgICBzdHJmdGltZShhc2Np
aV9kYXRlLCAzMCwgIiVhICViICVkICVIOiVNOiVTICVaICVZIiwgc190bSk7CiAgICAgICB9CiAK
LSAgICAgIGlmKGZpbGVuYW1lX2xlbiA8IGZubGVuKXsKKyAgICAgIGlmKGZpbGVuYW1lX2xlbiA8
IGZubGVuICsgMSl7CiAgICAgICAgIGlmKGZpbGVuYW1lICE9IE5VTEwpCiAgICAgICAgICAgZnJl
ZShmaWxlbmFtZSk7CiAgICAgICAgIAo=
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2002-09-04 22:40 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2002-09-04 15:40 java/7830: Off-by-one buffer overruns in fastjar tool tromey
-- strict thread matches above, loose matches on Subject: below --
2002-09-04 15:06 greenrd
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).