From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 6094 invoked by alias); 30 Jan 2003 20:26:01 -0000 Mailing-List: contact gcc-prs-help@gcc.gnu.org; run by ezmlm Precedence: bulk List-Archive: List-Post: List-Help: Sender: gcc-prs-owner@gcc.gnu.org Received: (qmail 6071 invoked by uid 71); 30 Jan 2003 20:26:01 -0000 Resent-Date: 30 Jan 2003 20:26:01 -0000 Resent-Message-ID: <20030130202601.6070.qmail@sources.redhat.com> Resent-From: gcc-gnats@gcc.gnu.org (GNATS Filer) Resent-Cc: gcc-prs@gcc.gnu.org, gcc-bugs@gcc.gnu.org Resent-Reply-To: gcc-gnats@gcc.gnu.org, "Alexander N. Kabaev" Received: (qmail 3049 invoked from network); 30 Jan 2003 20:19:26 -0000 Received: from unknown (HELO h132-197-179-51.gte.com) (132.197.179.51) by 172.16.49.205 with SMTP; 30 Jan 2003 20:19:26 -0000 Received: from ork.gte.com (lfsdztp68nk9v4pu@localhost [127.0.0.1]) by h132-197-179-51.gte.com (8.12.6/8.12.6) with ESMTP id h0UKJQUu022231 for ; Thu, 30 Jan 2003 15:19:26 -0500 (EST) (envelope-from ak03@ork.gte.com) Received: (from ak03@localhost) by ork.gte.com (8.12.6/8.12.6/Submit) id h0UKJQJ6022230; Thu, 30 Jan 2003 15:19:26 -0500 (EST) Message-Id: <200301302019.h0UKJQJ6022230@ork.gte.com> Date: Thu, 30 Jan 2003 20:26:00 -0000 From: "Alexander N. Kabaev" To: gcc-gnats@gcc.gnu.org X-Send-Pr-Version: 3.113 Subject: preprocessor/9514: tradcpp0 dumps core on binary data X-SW-Source: 2003-01/txt/msg01741.txt.bz2 List-Id: >Number: 9514 >Category: preprocessor >Synopsis: tradcpp0 dumps core on binary data >Confidential: no >Severity: non-critical >Priority: low >Responsible: unassigned >State: open >Class: sw-bug >Submitter-Id: net >Arrival-Date: Thu Jan 30 20:26:00 UTC 2003 >Closed-Date: >Last-Modified: >Originator: Alexander N. Kabaev >Release: 3.2.2 20030106 (prerelease) >Organization: FreeBSD.ORG >Environment: System: FreeBSD ork.gte.com 4.7-STABLE FreeBSD 4.7-STABLE #3: Tue Jan 28 11:09:15 EST 2003 ak03@ork.gte.com:/usr/src/sys/compile/KAN i386 host: i386-portbld-freebsd4.7 build: i386-portbld-freebsd4.7 target: i386-portbld-freebsd4.7 configured with: ./..//gcc-3.2.1/configure --disable-nls --with-gnu-as --with-gnu-ld --with-gxx-include-dir=/usr/local/lib/gcc-lib/i386-portbld-freebsd4.7/3.2.1/include/g++-v3 --with-system-zlib --includedir=/usr/local/lib/gcc-lib/i386-portbld-freebsd4.7/3.2.1/include/Java --disable-libgcj --disable-shared --prefix=/usr/local i386-portbld-freebsd4.7 >Description: When given a data with embbedded '\0' before the first '\r' occurrentce, tradcpp0 will dump core trying to dereference a null pointer. The following code in fixup_newlines function is problematic: p = (U_CHAR *) strchr ((const char *) fp->buf, '\r'); *end = '\0'; if (p == end) return; if (p > fp->buf && p[-1] == '\n') p--; q = p; while (p < end) switch (*p) ^^^^^ Crash happens here. With null character before the first '\r', strchr can return NULL, causing the crash later. Preprocessing binary data is questionable activity, but I think preprocessor should handle these mistakes gracefully. >How-To-Repeat: tradcpp0 /etc on any system which allow directory opens (i.e. any BSD system) >Fix: Index: tradcpp.c =================================================================== RCS file: /usr/ncvs/src/contrib/gcc/tradcpp.c,v retrieving revision 1.1.1.5 diff -u -r1.1.1.5 tradcpp.c --- tradcpp.c 4 Dec 2002 15:40:06 -0000 1.1.1.5 +++ tradcpp.c 30 Jan 2003 20:13:45 -0000 @@ -2605,7 +2605,7 @@ end = fp->buf + fp->length; *end = '\r'; - p = (U_CHAR *) strchr ((const char *) fp->buf, '\r'); + p = (U_CHAR *) memchr ((const char *) fp->buf, '\r', fp->length + 1); *end = '\0'; if (p == end) return; >Release-Note: >Audit-Trail: >Unformatted: