preprocessor/8055: CPP0 segfault on FreeBSD + PATCH

[ak03@gte.com]

>Number:         8055
>Category:       preprocessor
>Synopsis:       PATCH: CPPO dies with SIG11 when building FreeBSD kernel
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    unassigned
>State:          open
>Class:          ice-on-legal-code
>Submitter-Id:   net
>Arrival-Date:   Thu Sep 26 08:26:01 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator:     Alexander N. Kabaev
>Release:        3.2.1 [FreeBSD] 20020916 (prerelease)
>Organization:
>Environment:

System: FreeBSD kanpc.gte.com 5.0-CURRENT FreeBSD 5.0-CURRENT #0: Mon Sep 16 10:44:41EDT 2002 root@kanpc.gte.com:/usr/obj/usr/src/sys/KANPC  i386
GCC 3.2.1 configured as system compiler

As well as:
System: FreeBSD ork.gte.com 4.7-PRERELEASE FreeBSD 4.7-PRERELEASE #0: Mon Sep 16 11:16:37 EDT 2002 root@ork.gte.com:/usr/src/sys/compile/KAN i386

GCC 3.2.1 built from ports:
host: i386-portbld-freebsd4.7
build: i386-portbld-freebsd4.7
target: i386-portbld-freebsd4.7
configured with: ./..//gcc-20020902/configure --disable-nls --with-gnu-as --with-gnu-ld --with-gxx-include-dir=/usr/local/lib/gcc-lib/i386-portbld-freebsd4.7/3.2.1/include/g++-v3 --with-system-zlib --includedir=/usr/local/lib/gcc-lib/i386-portbld-freebsd4.7/3.2.1/include/Java --disable-libgcj --disable-shared --prefix=/usr/local i386-portbld-freebsd4.7
>Description:
	Preprocessor CPP0 dumps core when used to create dependencies list 
	while building the FreeBSD kernel. The reason is the bug in gcc/cppmacro.cpp
	in function stringify_arg. If pfile->u_buff buffer is completely filled
	when the function is called (i.e.
	BUFF_FRONT (pfile->u_buff) == BUFF_LIMIT (pfile->u_buff) ), and the
        macro_arg passed to it as a second parameter has no tokens, that is
	arg->count is 0, then stringify_buffer will happily advance the
        BUFF_FRONT(pfile->u_buff) pointer past the BUFF_LIMIT (pfile->u_buff) 
	values, making comparisons like 
          (size_t) (BUFF_LIMIT (pfile->u_buff) - dest) < len
        useless. CPP0 will dump core shortly afterwards trying strchr/strcpy
	a string which it thinks is about 4G in size.

>How-To-Repeat:
	The test case is not exactly trivial to produce. The stringify_arg
	function should be called with an empty argument and completely
	filled buffer. The layout of system header files happend to 
	trigger exectly this condition.
>Fix:
	The patch below takes care of the problem.

Index: contrib/gcc/cppmacro.c
===================================================================
RCS file: /usr/ncvs/src/contrib/gcc/cppmacro.c,v
retrieving revision 1.1.1.4
diff -u -r1.1.1.4 cppmacro.c
--- contrib/gcc/cppmacro.c	1 Sep 2002 20:37:29 -0000	1.1.1.4
+++ contrib/gcc/cppmacro.c	24 Sep 2002 15:40:54 -0000
@@ -349,6 +349,12 @@
 
   /* Commit the memory, including NUL, and return the token.  */
   len = dest - BUFF_FRONT (pfile->u_buff);
+  if ((size_t) (BUFF_LIMIT (pfile->u_buff) - dest) < 1)
+    {
+      size_t len_so_far = dest - BUFF_FRONT (pfile->u_buff);
+      _cpp_extend_buff (pfile, &pfile->u_buff, 1);
+      dest = BUFF_FRONT (pfile->u_buff) + len_so_far;
+    }
   BUFF_FRONT (pfile->u_buff) = dest + 1;
   return new_string_token (pfile, dest - len, len);
 }
>Release-Note:
>Audit-Trail:
>Unformatted: