From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 4282 invoked by alias); 12 May 2003 08:46:02 -0000 Mailing-List: contact gcc-prs-help@gcc.gnu.org; run by ezmlm Precedence: bulk List-Archive: List-Post: List-Help: Sender: gcc-prs-owner@gcc.gnu.org Received: (qmail 4091 invoked by uid 71); 12 May 2003 08:46:01 -0000 Resent-Date: 12 May 2003 08:46:01 -0000 Resent-Message-ID: <20030512084601.4090.qmail@sources.redhat.com> Resent-From: gcc-gnats@gcc.gnu.org (GNATS Filer) Resent-Cc: gcc-prs@gcc.gnu.org, gcc-bugs@gcc.gnu.org Resent-Reply-To: gcc-gnats@gcc.gnu.org, richard@brainstorm.co.uk Received: (qmail 21199 invoked by uid 48); 12 May 2003 08:42:46 -0000 Message-Id: <20030512084246.21198.qmail@sources.redhat.com> Date: Mon, 12 May 2003 08:46:00 -0000 From: richard@brainstorm.co.uk Reply-To: richard@brainstorm.co.uk To: gcc-gnats@gcc.gnu.org X-Send-Pr-Version: gnatsweb-2.9.3 (1.1.1.1.2.31) Subject: libobjc/10742: objc_lookup_class() called with illegal argument X-SW-Source: 2003-05/txt/msg01122.txt.bz2 List-Id: >Number: 10742 >Category: libobjc >Synopsis: objc_lookup_class() called with illegal argument >Confidential: no >Severity: serious >Priority: medium >Responsible: unassigned >State: open >Class: sw-bug >Submitter-Id: net >Arrival-Date: Mon May 12 08:46:01 UTC 2003 >Closed-Date: >Last-Modified: >Originator: richard@brainstorm.co.uk >Release: gcc (GCC) 3.4 20030510 and earlier >Organization: >Environment: gnu/linux intel, but will apply to other systems too. >Description: When a class is loaded into the runtime, the fields in the class structure which normally link to other classes are actually pointers to strings contaningin the names of those classes, and these pointers are replaced by links to the actual classes during the load process. In various places in the runtime file init.c, the code calls objc_lookup_class() passing it the value from class->super_class on the assumption that it is the name of the classes superclass. However, this is not always the case, and pointers to classes can be passed as if they were strings. This can result in objc_lookup_class causing a segmentation violation when it does not find a nul terminator in the 'string' it is given. >How-To-Repeat: >Fix: The attached patch fixes this problem by using a new static function which checks to see whether the class links have been resolved and only trying to use them as string if they have not yet been changed to class pointers. >Release-Note: >Audit-Trail: >Unformatted: ----gnatsweb-attachment---- Content-Type: text/plain; name="init.c.diff" Content-Disposition: inline; filename="init.c.diff" *** init.c.old Sun May 11 07:14:11 2003 --- init.c Sun May 11 07:13:52 2003 *************** *** 99,104 **** --- 99,115 ---- should not be destroyed during the execution of the program. */ static cache_ptr __objc_load_methods = NULL; + /* Return the super class by resorting to objc_lookup_class() + if links are not yet resolved. */ + static Class lookup_super(Class class) + { + if (class->super_class == Nil) + return Nil; + if (CLS_ISRESOLV(class)) + return class->super_class; + return objc_lookup_class((char*)class->super_class); + } + /* Creates a tree of classes whose topmost class is directly inherited from `upper' and the bottom class in this tree is `bottom_class'. The classes in this tree are super classes of *************** *** 108,117 **** static objc_class_tree * create_tree_of_subclasses_inherited_from (Class bottom_class, Class upper) { ! Class superclass = bottom_class->super_class ? ! objc_lookup_class ((char *) bottom_class->super_class) ! : Nil; ! objc_class_tree *tree, *prev; DEBUG_PRINTF ("create_tree_of_subclasses_inherited_from:"); --- 119,126 ---- static objc_class_tree * create_tree_of_subclasses_inherited_from (Class bottom_class, Class upper) { ! Class superclass = lookup_super(bottom_class); ! objc_class_tree *tree, *prev; DEBUG_PRINTF ("create_tree_of_subclasses_inherited_from:"); *************** *** 122,135 **** tree = prev = objc_calloc (1, sizeof (objc_class_tree)); prev->class = bottom_class; ! while (superclass != upper) { tree = objc_calloc (1, sizeof (objc_class_tree)); tree->class = superclass; tree->subclasses = list_cons (prev, tree->subclasses); ! superclass = (superclass->super_class ? ! objc_lookup_class ((char *) superclass->super_class) ! : Nil); prev = tree; } --- 131,142 ---- tree = prev = objc_calloc (1, sizeof (objc_class_tree)); prev->class = bottom_class; ! while (superclass != Nil && superclass != upper) { tree = objc_calloc (1, sizeof (objc_class_tree)); tree->class = superclass; tree->subclasses = list_cons (prev, tree->subclasses); ! superclass = lookup_super(superclass); prev = tree; } *************** *** 157,166 **** DEBUG_PRINTF ("1. class %s was previously inserted\n", class->name); return tree; } ! else if ((class->super_class ? ! objc_lookup_class ((char *) class->super_class) ! : Nil) ! == tree->class) { /* If class is a direct subclass of tree->class then add class to the list of subclasses. First check to see if it wasn't already --- 164,170 ---- DEBUG_PRINTF ("1. class %s was previously inserted\n", class->name); return tree; } ! else if (lookup_super(class) == tree->class) { /* If class is a direct subclass of tree->class then add class to the list of subclasses. First check to see if it wasn't already *************** *** 370,378 **** { if (class == superclass) return YES; ! class = (class->super_class ? ! objc_lookup_class ((char *) class->super_class) ! : Nil); } return NO; --- 374,380 ---- { if (class == superclass) return YES; ! class = lookup_super(class); } return NO; *************** *** 562,568 **** /* Check to see if the superclass is known in this point. If it's not add the class to the unresolved_classes list. */ ! if (superclass && ! objc_lookup_class (superclass)) unresolved_classes = list_cons (class, unresolved_classes); } --- 564,570 ---- /* Check to see if the superclass is known in this point. If it's not add the class to the unresolved_classes list. */ ! if (superclass && ! lookup_super (class)) unresolved_classes = list_cons (class, unresolved_classes); } *************** *** 674,680 **** { Class class = unresolved_classes->head; ! while (objc_lookup_class ((char *) class->super_class)) { list_remove_head (&unresolved_classes); if (unresolved_classes) --- 676,682 ---- { Class class = unresolved_classes->head; ! while (lookup_super (class)) { list_remove_head (&unresolved_classes); if (unresolved_classes)