public inbox for gcc-prs@sourceware.org
help / color / mirror / Atom feed
From: Zack Weinberg <zack@codesourcery.com>
To: nobody@gcc.gnu.org
Cc: gcc-prs@gcc.gnu.org,
Subject: Re: preprocessor/8055: CPP0 segfault on FreeBSD + PATCH
Date: Fri, 27 Sep 2002 12:56:00 -0000	[thread overview]
Message-ID: <20020927195602.23094.qmail@sources.redhat.com> (raw)

The following reply was made to PR preprocessor/8055; it has been noted by GNATS.

From: Zack Weinberg <zack@codesourcery.com>
To: ak03@gte.com, Mark Mitchell <mark@codesourcery.com>,
	Neil Booth <neil@daikokuya.co.uk>
Cc: gcc-gnats@gcc.gnu.org, gcc-patches@gcc.gnu.org
Subject: Re: preprocessor/8055: CPP0 segfault on FreeBSD + PATCH
Date: Fri, 27 Sep 2002 12:50:09 -0700

 Thank you for this bug report.  I've reproduced the problem, and
 confirm your analysis.  I'm going to do a complete bootstrap+test
 cycle on a slight modification of your patch (see below) and will
 apply to mainline if successful.
 
 Mark, is this an acceptable patch for 3.2.1?  It's not clear whether
 it's a regression from earlier 3.x, but it has been seen in the wild,
 and the fix is small, self-contained, and obvious.
 
 zw
 
 	* cppmacro.c (stringify_arg): Do not overflow the buffer
 	with the terminating NUL when the argument to be stringified
 	has no tokens.
 	* gcc.dg/cpp/20020927-1.c: New test case.
 
 ===================================================================
 Index: cppmacro.c
 --- cppmacro.c	22 Sep 2002 02:03:17 -0000	1.124
 +++ cppmacro.c	27 Sep 2002 19:48:15 -0000
 @@ -409,6 +409,12 @@ stringify_arg (pfile, arg)
      }
  
    /* Commit the memory, including NUL, and return the token.  */
 +  if ((size_t) (BUFF_LIMIT (pfile->u_buff) - dest) < 1)
 +    {
 +      size_t len_so_far = dest - BUFF_FRONT (pfile->u_buff);
 +      _cpp_extend_buff (pfile, &pfile->u_buff, 1);
 +      dest = BUFF_FRONT (pfile->u_buff) + len_so_far;
 +    }
    len = dest - BUFF_FRONT (pfile->u_buff);
    BUFF_FRONT (pfile->u_buff) = dest + 1;
    return new_string_token (pfile, dest - len, len);
 ===================================================================
 Index: testsuite/gcc.dg/cpp/20020927-1.c
 --- testsuite/gcc.dg/cpp/20020927-1.c	1 Jan 1970 00:00:00 -0000
 +++ testsuite/gcc.dg/cpp/20020927-1.c	27 Sep 2002 19:47:37 -0000
 @@ -0,0 +1,91 @@
 +/* Test case for buffer overflow bug in token stringification.
 +   See PR preprocessor/8055 for details.
 +   Reported by Alexander N. Kabaev <ak03@gte.com>.
 +   Test case written by Zack Weinberg <zack@codesourcery.com>.  */
 +
 +/* { dg-do preprocess } */
 +
 +#define S(x) #x
 +
 +/* Fill up one internal buffer with data.  */
 +S(1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  12345678901234567890123456789012345678901234567890123456789012345)
 +
 +/* When stringify_arg() was called with an empty macro argument, it would
 +   advance the buffer pointer by one but fail to check for running past the
 +   end of the buffer.  We can only know where the end of the buffer is to
 +   within about eight bytes, so do this sixteen times to be sure of hitting
 +   it.  */
 +
 +S()
 +S()
 +S()
 +S()
 +S()
 +S()
 +S()
 +S()
 +S()
 +S()
 +S()
 +S()
 +S()
 +S()
 +S()
 +S()
 +
 +/* Now allocate more memory in the buffer, which should provoke a crash.  */
 +
 +S(abcdefghijklmnopqrstuvwxyz)
 +S(abcdefghijklmnopqrstuvwxyz)
 


             reply	other threads:[~2002-09-27 19:56 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2002-09-27 12:56 Zack Weinberg [this message]
  -- strict thread matches above, loose matches on Subject: below --
2002-10-04 11:46 Neil Booth
2002-09-27 15:56 Mark Mitchell
2002-09-27 15:16 Zack Weinberg
2002-09-27 13:56 Mark Mitchell
2002-09-27 13:16 Alexander Kabaev
2002-09-26  8:26 ak03

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20020927195602.23094.qmail@sources.redhat.com \
    --to=zack@codesourcery.com \
    --cc=gcc-prs@gcc.gnu.org \
    --cc=nobody@gcc.gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).