From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gcc-prs-return-22253-listarch-gcc-prs=gcc.gnu.org@gcc.gnu.org>
Received: (qmail 23109 invoked by alias); 27 Sep 2002 19:56:03 -0000
Mailing-List: contact gcc-prs-help@gcc.gnu.org; run by ezmlm
Precedence: bulk
List-Archive: <http://gcc.gnu.org/ml/gcc-prs/>
List-Post: <mailto:gcc-prs@gcc.gnu.org>
List-Help: <mailto:gcc-prs-help@gcc.gnu.org>
Sender: gcc-prs-owner@gcc.gnu.org
Received: (qmail 23095 invoked by uid 71); 27 Sep 2002 19:56:02 -0000
Date: Fri, 27 Sep 2002 12:56:00 -0000
Message-ID: <20020927195602.23094.qmail@sources.redhat.com>
To: nobody@gcc.gnu.org
Cc: gcc-prs@gcc.gnu.org,
From: Zack Weinberg <zack@codesourcery.com>
Subject: Re: preprocessor/8055: CPP0 segfault on FreeBSD + PATCH
Reply-To: Zack Weinberg <zack@codesourcery.com>
X-SW-Source: 2002-09/txt/msg00759.txt.bz2
List-Id: <gcc-prs.sourceware.org>

The following reply was made to PR preprocessor/8055; it has been noted by GNATS.

From: Zack Weinberg <zack@codesourcery.com>
To: ak03@gte.com, Mark Mitchell <mark@codesourcery.com>,
	Neil Booth <neil@daikokuya.co.uk>
Cc: gcc-gnats@gcc.gnu.org, gcc-patches@gcc.gnu.org
Subject: Re: preprocessor/8055: CPP0 segfault on FreeBSD + PATCH
Date: Fri, 27 Sep 2002 12:50:09 -0700

 Thank you for this bug report.  I've reproduced the problem, and
 confirm your analysis.  I'm going to do a complete bootstrap+test
 cycle on a slight modification of your patch (see below) and will
 apply to mainline if successful.
 
 Mark, is this an acceptable patch for 3.2.1?  It's not clear whether
 it's a regression from earlier 3.x, but it has been seen in the wild,
 and the fix is small, self-contained, and obvious.
 
 zw
 
 	* cppmacro.c (stringify_arg): Do not overflow the buffer
 	with the terminating NUL when the argument to be stringified
 	has no tokens.
 	* gcc.dg/cpp/20020927-1.c: New test case.
 
 ===================================================================
 Index: cppmacro.c
 --- cppmacro.c	22 Sep 2002 02:03:17 -0000	1.124
 +++ cppmacro.c	27 Sep 2002 19:48:15 -0000
 @@ -409,6 +409,12 @@ stringify_arg (pfile, arg)
      }
  
    /* Commit the memory, including NUL, and return the token.  */
 +  if ((size_t) (BUFF_LIMIT (pfile->u_buff) - dest) < 1)
 +    {
 +      size_t len_so_far = dest - BUFF_FRONT (pfile->u_buff);
 +      _cpp_extend_buff (pfile, &pfile->u_buff, 1);
 +      dest = BUFF_FRONT (pfile->u_buff) + len_so_far;
 +    }
    len = dest - BUFF_FRONT (pfile->u_buff);
    BUFF_FRONT (pfile->u_buff) = dest + 1;
    return new_string_token (pfile, dest - len, len);
 ===================================================================
 Index: testsuite/gcc.dg/cpp/20020927-1.c
 --- testsuite/gcc.dg/cpp/20020927-1.c	1 Jan 1970 00:00:00 -0000
 +++ testsuite/gcc.dg/cpp/20020927-1.c	27 Sep 2002 19:47:37 -0000
 @@ -0,0 +1,91 @@
 +/* Test case for buffer overflow bug in token stringification.
 +   See PR preprocessor/8055 for details.
 +   Reported by Alexander N. Kabaev <ak03@gte.com>.
 +   Test case written by Zack Weinberg <zack@codesourcery.com>.  */
 +
 +/* { dg-do preprocess } */
 +
 +#define S(x) #x
 +
 +/* Fill up one internal buffer with data.  */
 +S(1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  1234567890123456789012345678901234567890123456789012345678901234567890
 +  12345678901234567890123456789012345678901234567890123456789012345)
 +
 +/* When stringify_arg() was called with an empty macro argument, it would
 +   advance the buffer pointer by one but fail to check for running past the
 +   end of the buffer.  We can only know where the end of the buffer is to
 +   within about eight bytes, so do this sixteen times to be sure of hitting
 +   it.  */
 +
 +S()
 +S()
 +S()
 +S()
 +S()
 +S()
 +S()
 +S()
 +S()
 +S()
 +S()
 +S()
 +S()
 +S()
 +S()
 +S()
 +
 +/* Now allocate more memory in the buffer, which should provoke a crash.  */
 +
 +S(abcdefghijklmnopqrstuvwxyz)
 +S(abcdefghijklmnopqrstuvwxyz)