From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 5827 invoked by alias); 27 Jul 2009 14:43:27 -0000 Received: (qmail 5797 invoked by uid 22791); 27 Jul 2009 14:43:24 -0000 X-SWARE-Spam-Status: No, hits=-1.9 required=5.0 tests=AWL,BAYES_00,J_CHICKENPOX_74,J_CHICKENPOX_92 X-Spam-Check-By: sourceware.org Received: from mail3.caviumnetworks.com (HELO mail3.caviumnetworks.com) (12.108.191.235) by sourceware.org (qpsmtpd/0.43rc1) with ESMTP; Mon, 27 Jul 2009 14:43:17 +0000 Received: from caexch01.caveonetworks.com (Not Verified[192.168.16.9]) by mail3.caviumnetworks.com with MailMarshal (v6,2,2,3503) id ; Mon, 27 Jul 2009 10:42:53 -0400 Received: from caexch01.caveonetworks.com ([192.168.16.9]) by caexch01.caveonetworks.com with Microsoft SMTPSVC(6.0.3790.3959); Mon, 27 Jul 2009 07:42:53 -0700 Received: from dd1.caveonetworks.com ([64.169.86.201]) by caexch01.caveonetworks.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959); Mon, 27 Jul 2009 07:42:53 -0700 Message-ID: <4A6DBCE9.4090807@caviumnetworks.com> Date: Mon, 27 Jul 2009 14:43:00 -0000 From: David Daney User-Agent: Thunderbird 2.0.0.21 (X11/20090320) MIME-Version: 1.0 To: Andrew Haley CC: Martin Ettl , java@gcc.gnu.org Subject: Re: found an overlapping data buffer in file natGCInfo.cc References: <20090727082913.78960@gmx.net> <4A6D7B5D.5090005@redhat.com> In-Reply-To: <4A6D7B5D.5090005@redhat.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-IsSubscribed: yes Mailing-List: contact java-help@gcc.gnu.org; run by ezmlm Precedence: bulk List-Id: List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: java-owner@gcc.gnu.org X-SW-Source: 2009-07/txt/msg00071.txt.bz2 Andrew Haley wrote: > On 07/27/2009 10:29 AM, Martin Ettl wrote: >> Hello, >> >> while checking the sources of gcc-4.4.1 with the static code analysis tool cppcheck i found an overlapping data buffer in file gcc-4.4.1/libjava/gnu/gcj/natGCInfo.cc at line 410. >> >> Take a look at the file: >> >> static void * >> nomem_handler(size_t size) >> { >> if (oomDumpName) >> { >> char temp[strlen(oomDumpName) + 20]; >> 410 sprintf(temp, "%s%03d", temp, GC_dump_count++); The second instance of temp should be oomDumpName. >> printf("nomem_handler(%zd) called\n", size); >> gc_ok--; >> GC_enumerator x(temp); >> x.enumerate(); >> gc_ok++; >> } >> return (void*)0; >> } >> >> Indeed, the buffer overlapps. This can lead to segmentation faults! > > Thanks. How very weird; I wonder what that code was supposed to do. > Someone should fix it. If nobody does soon, I suppose I will as I added it in the first place. David Daney