libobjc/10742: objc_lookup_class() called with illegal argument

public inbox for gcc-prs@sourceware.org
help / color / mirror / Atom feed

From: richard@brainstorm.co.uk
To: gcc-gnats@gcc.gnu.org
Subject: libobjc/10742: objc_lookup_class() called with illegal argument
Date: Mon, 12 May 2003 08:46:00 -0000	[thread overview]
Message-ID: <20030512084246.21198.qmail@sources.redhat.com> (raw)


>Number:         10742
>Category:       libobjc
>Synopsis:       objc_lookup_class() called with illegal argument
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    unassigned
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon May 12 08:46:01 UTC 2003
>Closed-Date:
>Last-Modified:
>Originator:     richard@brainstorm.co.uk
>Release:        gcc (GCC) 3.4 20030510  and earlier
>Organization:
>Environment:
gnu/linux intel, but will apply to other systems too.
>Description:
When a class is loaded into the runtime, the fields in the class structure which normally link to other classes are actually pointers to strings contaningin the names of those classes, and these pointers are replaced by links to the actual classes during the load process.
In various places in the runtime file init.c, the code calls objc_lookup_class() passing it the value from class->super_class on the assumption that it is the name of the classes superclass.  However, this is not always the case, and pointers to classes can be passed as if they were strings.  This can result in objc_lookup_class causing a segmentation violation when it does not find a nul terminator in the 'string' it is given.
>How-To-Repeat:

>Fix:
The attached patch fixes this problem by using a new static function which checks to see whether the class links have been resolved and only trying to use them as string if they have not yet been changed to class pointers.
>Release-Note:
>Audit-Trail:
>Unformatted:
----gnatsweb-attachment----
Content-Type: text/plain; name="init.c.diff"
Content-Disposition: inline; filename="init.c.diff"

*** init.c.old	Sun May 11 07:14:11 2003
--- init.c	Sun May 11 07:13:52 2003
***************
*** 99,104 ****
--- 99,115 ----
     should not be destroyed during the execution of the program.  */
  static cache_ptr __objc_load_methods = NULL;
  
+ /* Return the super class by resorting to objc_lookup_class()
+    if links are not yet resolved. */
+ static Class lookup_super(Class class)
+ {
+   if (class->super_class == Nil)
+     return Nil;
+   if (CLS_ISRESOLV(class))
+     return class->super_class;
+   return objc_lookup_class((char*)class->super_class);
+ }
+ 
  /* Creates a tree of classes whose topmost class is directly inherited
     from `upper' and the bottom class in this tree is
     `bottom_class'. The classes in this tree are super classes of
***************
*** 108,117 ****
  static objc_class_tree *
  create_tree_of_subclasses_inherited_from (Class bottom_class, Class upper)
  {
!   Class superclass = bottom_class->super_class ?
! 			objc_lookup_class ((char *) bottom_class->super_class)
! 		      : Nil;
! 					
    objc_class_tree *tree, *prev;
  
    DEBUG_PRINTF ("create_tree_of_subclasses_inherited_from:");
--- 119,126 ----
  static objc_class_tree *
  create_tree_of_subclasses_inherited_from (Class bottom_class, Class upper)
  {
!   Class superclass = lookup_super(bottom_class);
! 
    objc_class_tree *tree, *prev;
  
    DEBUG_PRINTF ("create_tree_of_subclasses_inherited_from:");
***************
*** 122,135 ****
    tree = prev = objc_calloc (1, sizeof (objc_class_tree));
    prev->class = bottom_class;
  
!   while (superclass != upper)
      {
        tree = objc_calloc (1, sizeof (objc_class_tree));
        tree->class = superclass;
        tree->subclasses = list_cons (prev, tree->subclasses);
!       superclass = (superclass->super_class ?
! 			objc_lookup_class ((char *) superclass->super_class)
! 		      : Nil);
        prev = tree;
      }
  
--- 131,142 ----
    tree = prev = objc_calloc (1, sizeof (objc_class_tree));
    prev->class = bottom_class;
  
!   while (superclass != Nil && superclass != upper)
      {
        tree = objc_calloc (1, sizeof (objc_class_tree));
        tree->class = superclass;
        tree->subclasses = list_cons (prev, tree->subclasses);
!       superclass = lookup_super(superclass);
        prev = tree;
      }
  
***************
*** 157,166 ****
        DEBUG_PRINTF ("1. class %s was previously inserted\n", class->name);
        return tree;
      }
!   else if ((class->super_class ?
! 		    objc_lookup_class ((char *) class->super_class)
! 		  : Nil)
! 	    == tree->class)
      {
        /* If class is a direct subclass of tree->class then add class to the
  	 list of subclasses. First check to see if it wasn't already
--- 164,170 ----
        DEBUG_PRINTF ("1. class %s was previously inserted\n", class->name);
        return tree;
      }
!   else if (lookup_super(class) == tree->class)
      {
        /* If class is a direct subclass of tree->class then add class to the
  	 list of subclasses. First check to see if it wasn't already
***************
*** 370,378 ****
      {
        if (class == superclass)
  	return YES;
!       class = (class->super_class ?
! 		  objc_lookup_class ((char *) class->super_class)
! 		: Nil);
      }
  
    return NO;
--- 374,380 ----
      {
        if (class == superclass)
  	return YES;
!       class = lookup_super(class);
      }
  
    return NO;
***************
*** 562,568 ****
  
        /* Check to see if the superclass is known in this point. If it's not
  	 add the class to the unresolved_classes list.  */
!       if (superclass && ! objc_lookup_class (superclass))
  	unresolved_classes = list_cons (class, unresolved_classes);
     }
  
--- 564,570 ----
  
        /* Check to see if the superclass is known in this point. If it's not
  	 add the class to the unresolved_classes list.  */
!       if (superclass && ! lookup_super (class))
  	unresolved_classes = list_cons (class, unresolved_classes);
     }
  
***************
*** 674,680 ****
      {
        Class class = unresolved_classes->head;
  
!       while (objc_lookup_class ((char *) class->super_class))
  	{
  	  list_remove_head (&unresolved_classes);
  	  if (unresolved_classes)
--- 676,682 ----
      {
        Class class = unresolved_classes->head;
  
!       while (lookup_super (class))
  	{
  	  list_remove_head (&unresolved_classes);
  	  if (unresolved_classes)

next             reply	other threads:[~2003-05-12  8:46 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2003-05-12  8:46 richard [this message]
2003-05-14  6:26 Dara Hazeghi
2003-05-15  9:40 nicola

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20030512084246.21198.qmail@sources.redhat.com \
    --to=richard@brainstorm.co.uk \
    --cc=gcc-gnats@gcc.gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).