public inbox for gcc-prs@sourceware.org help / color / mirror / Atom feed
From: Zack Weinberg <zack@codesourcery.com> To: nobody@gcc.gnu.org Cc: gcc-prs@gcc.gnu.org, Subject: Re: preprocessor/8055: CPP0 segfault on FreeBSD + PATCH Date: Fri, 27 Sep 2002 12:56:00 -0000 [thread overview] Message-ID: <20020927195602.23094.qmail@sources.redhat.com> (raw) The following reply was made to PR preprocessor/8055; it has been noted by GNATS. From: Zack Weinberg <zack@codesourcery.com> To: ak03@gte.com, Mark Mitchell <mark@codesourcery.com>, Neil Booth <neil@daikokuya.co.uk> Cc: gcc-gnats@gcc.gnu.org, gcc-patches@gcc.gnu.org Subject: Re: preprocessor/8055: CPP0 segfault on FreeBSD + PATCH Date: Fri, 27 Sep 2002 12:50:09 -0700 Thank you for this bug report. I've reproduced the problem, and confirm your analysis. I'm going to do a complete bootstrap+test cycle on a slight modification of your patch (see below) and will apply to mainline if successful. Mark, is this an acceptable patch for 3.2.1? It's not clear whether it's a regression from earlier 3.x, but it has been seen in the wild, and the fix is small, self-contained, and obvious. zw * cppmacro.c (stringify_arg): Do not overflow the buffer with the terminating NUL when the argument to be stringified has no tokens. * gcc.dg/cpp/20020927-1.c: New test case. =================================================================== Index: cppmacro.c --- cppmacro.c 22 Sep 2002 02:03:17 -0000 1.124 +++ cppmacro.c 27 Sep 2002 19:48:15 -0000 @@ -409,6 +409,12 @@ stringify_arg (pfile, arg) } /* Commit the memory, including NUL, and return the token. */ + if ((size_t) (BUFF_LIMIT (pfile->u_buff) - dest) < 1) + { + size_t len_so_far = dest - BUFF_FRONT (pfile->u_buff); + _cpp_extend_buff (pfile, &pfile->u_buff, 1); + dest = BUFF_FRONT (pfile->u_buff) + len_so_far; + } len = dest - BUFF_FRONT (pfile->u_buff); BUFF_FRONT (pfile->u_buff) = dest + 1; return new_string_token (pfile, dest - len, len); =================================================================== Index: testsuite/gcc.dg/cpp/20020927-1.c --- testsuite/gcc.dg/cpp/20020927-1.c 1 Jan 1970 00:00:00 -0000 +++ testsuite/gcc.dg/cpp/20020927-1.c 27 Sep 2002 19:47:37 -0000 @@ -0,0 +1,91 @@ +/* Test case for buffer overflow bug in token stringification. + See PR preprocessor/8055 for details. + Reported by Alexander N. Kabaev <ak03@gte.com>. + Test case written by Zack Weinberg <zack@codesourcery.com>. */ + +/* { dg-do preprocess } */ + +#define S(x) #x + +/* Fill up one internal buffer with data. */ +S(1234567890123456789012345678901234567890123456789012345678901234567890 + 1234567890123456789012345678901234567890123456789012345678901234567890 + 1234567890123456789012345678901234567890123456789012345678901234567890 + 1234567890123456789012345678901234567890123456789012345678901234567890 + 1234567890123456789012345678901234567890123456789012345678901234567890 + 1234567890123456789012345678901234567890123456789012345678901234567890 + 1234567890123456789012345678901234567890123456789012345678901234567890 + 1234567890123456789012345678901234567890123456789012345678901234567890 + 1234567890123456789012345678901234567890123456789012345678901234567890 + 1234567890123456789012345678901234567890123456789012345678901234567890 + 1234567890123456789012345678901234567890123456789012345678901234567890 + 1234567890123456789012345678901234567890123456789012345678901234567890 + 1234567890123456789012345678901234567890123456789012345678901234567890 + 1234567890123456789012345678901234567890123456789012345678901234567890 + 1234567890123456789012345678901234567890123456789012345678901234567890 + 1234567890123456789012345678901234567890123456789012345678901234567890 + 1234567890123456789012345678901234567890123456789012345678901234567890 + 1234567890123456789012345678901234567890123456789012345678901234567890 + 1234567890123456789012345678901234567890123456789012345678901234567890 + 1234567890123456789012345678901234567890123456789012345678901234567890 + 1234567890123456789012345678901234567890123456789012345678901234567890 + 1234567890123456789012345678901234567890123456789012345678901234567890 + 1234567890123456789012345678901234567890123456789012345678901234567890 + 1234567890123456789012345678901234567890123456789012345678901234567890 + 1234567890123456789012345678901234567890123456789012345678901234567890 + 1234567890123456789012345678901234567890123456789012345678901234567890 + 1234567890123456789012345678901234567890123456789012345678901234567890 + 1234567890123456789012345678901234567890123456789012345678901234567890 + 1234567890123456789012345678901234567890123456789012345678901234567890 + 1234567890123456789012345678901234567890123456789012345678901234567890 + 1234567890123456789012345678901234567890123456789012345678901234567890 + 1234567890123456789012345678901234567890123456789012345678901234567890 + 1234567890123456789012345678901234567890123456789012345678901234567890 + 1234567890123456789012345678901234567890123456789012345678901234567890 + 1234567890123456789012345678901234567890123456789012345678901234567890 + 1234567890123456789012345678901234567890123456789012345678901234567890 + 1234567890123456789012345678901234567890123456789012345678901234567890 + 1234567890123456789012345678901234567890123456789012345678901234567890 + 1234567890123456789012345678901234567890123456789012345678901234567890 + 1234567890123456789012345678901234567890123456789012345678901234567890 + 1234567890123456789012345678901234567890123456789012345678901234567890 + 1234567890123456789012345678901234567890123456789012345678901234567890 + 1234567890123456789012345678901234567890123456789012345678901234567890 + 1234567890123456789012345678901234567890123456789012345678901234567890 + 1234567890123456789012345678901234567890123456789012345678901234567890 + 1234567890123456789012345678901234567890123456789012345678901234567890 + 1234567890123456789012345678901234567890123456789012345678901234567890 + 1234567890123456789012345678901234567890123456789012345678901234567890 + 1234567890123456789012345678901234567890123456789012345678901234567890 + 1234567890123456789012345678901234567890123456789012345678901234567890 + 1234567890123456789012345678901234567890123456789012345678901234567890 + 1234567890123456789012345678901234567890123456789012345678901234567890 + 12345678901234567890123456789012345678901234567890123456789012345) + +/* When stringify_arg() was called with an empty macro argument, it would + advance the buffer pointer by one but fail to check for running past the + end of the buffer. We can only know where the end of the buffer is to + within about eight bytes, so do this sixteen times to be sure of hitting + it. */ + +S() +S() +S() +S() +S() +S() +S() +S() +S() +S() +S() +S() +S() +S() +S() +S() + +/* Now allocate more memory in the buffer, which should provoke a crash. */ + +S(abcdefghijklmnopqrstuvwxyz) +S(abcdefghijklmnopqrstuvwxyz)
next reply other threads:[~2002-09-27 19:56 UTC|newest] Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top 2002-09-27 12:56 Zack Weinberg [this message] -- strict thread matches above, loose matches on Subject: below -- 2002-10-04 11:46 Neil Booth 2002-09-27 15:56 Mark Mitchell 2002-09-27 15:16 Zack Weinberg 2002-09-27 13:56 Mark Mitchell 2002-09-27 13:16 Alexander Kabaev 2002-09-26 8:26 ak03
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20020927195602.23094.qmail@sources.redhat.com \ --to=zack@codesourcery.com \ --cc=gcc-prs@gcc.gnu.org \ --cc=nobody@gcc.gnu.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).