New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[PATCH] git log --pretty=format:%s HEAD^1..HEAD
#11988
Comments
From @rurbanThis is a bug report for perl from rurban@cpanel.net, From 657a387f083d6c36982ccecb1aa8df45426401ac Mon Sep 17 00:00:00 2001 Detected by clang -faddress-sanitizer ext/SDBM_File/sdbm/sdbm.c | 10 +++++----- Inline Patchdiff --git a/ext/SDBM_File/sdbm/sdbm.c b/ext/SDBM_File/sdbm/sdbm.c
index c554e52..83f277f 100644
--- a/ext/SDBM_File/sdbm/sdbm.c
+++ b/ext/SDBM_File/sdbm/sdbm.c
@@ -88,17 +88,17 @@ sdbm_open(register char *file, register int flags, register int mode)
*/
filelen = strlen(file);
- if ((dirname = (char *) malloc(filelen + dirfext_len + 1
- + filelen + pagfext_len + 1)) == NULL)
+ if ((dirname = (char *) malloc(filelen + dirfext_len
+ + filelen + pagfext_len)) == NULL)
return errno = ENOMEM, (DBM *) NULL;
/*
* build the file names
*/
memcpy(dirname, file, filelen);
- memcpy(dirname + filelen, DIRFEXT, dirfext_len + 1);
- pagname = dirname + filelen + dirfext_len + 1;
+ memcpy(dirname + filelen, DIRFEXT, dirfext_len); // global-buffer-overflow - one right of ".dir"
+ pagname = dirname + filelen + dirfext_len;
memcpy(pagname, file, filelen);
- memcpy(pagname + filelen, PAGFEXT, pagfext_len + 1);
+ memcpy(pagname + filelen, PAGFEXT, pagfext_len);
db = sdbm_prep(dirname, pagname, flags, mode);
free((char *) dirname);
diff --git a/ext/SDBM_File/sdbm/sdbm.h b/ext/SDBM_File/sdbm/sdbm.h
index 2b8d0e9..37a4a26 100644
--- a/ext/SDBM_File/sdbm/sdbm.h
+++ b/ext/SDBM_File/sdbm/sdbm.h
@@ -10,11 +10,11 @@
#define SPLTMAX 10 /* maximum allowed splits */
/* for a single insertion */
#ifdef VMS
-#define DIRFEXT ".sdbm_dir"
+#define DIRFEXT ".sdbm_dir\0"
#else
-#define DIRFEXT ".dir"
+#define DIRFEXT ".dir\0"
#endif
-#define PAGFEXT ".pag"
+#define PAGFEXT ".pag\0"
typedef struct {
int dirf; /* directory file descriptor */
--
Flags: Site configuration information for perl 5.15.7: Configured by rurban at Sun Jan 22 12:13:34 CST 2012. Summary of my perl5 (revision 5 version 15 subversion 7) configuration: Locally applied patches: @INC for perl 5.15.7: Environment for perl 5.15.7: |
From @rurbanThe attached patch is better, without the temp. comment at the code On Tue, Mar 6, 2012 at 1:53 PM, rurban@cpanel.net
-- |
From @rurban0001-sdbm.c-fix-off-by-one-access-to-global-.dir.patchFrom 10e8459488fb0f1b63f50421cdec7d3a1de64691 Mon Sep 17 00:00:00 2001
From: Reini Urban <rurban@x-ray.at>
Date: Tue, 6 Mar 2012 13:46:15 -0600
Subject: [PATCH] sdbm.c: fix off-by-one access to global ".dir"
Detected by clang -faddress-sanitizer
---
ext/SDBM_File/sdbm/sdbm.c | 10 +++++-----
ext/SDBM_File/sdbm/sdbm.h | 6 +++---
2 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/ext/SDBM_File/sdbm/sdbm.c b/ext/SDBM_File/sdbm/sdbm.c
index c554e52..83f277f 100644
--- a/ext/SDBM_File/sdbm/sdbm.c
+++ b/ext/SDBM_File/sdbm/sdbm.c
@@ -88,17 +88,17 @@ sdbm_open(register char *file, register int flags, register int mode)
*/
filelen = strlen(file);
- if ((dirname = (char *) malloc(filelen + dirfext_len + 1
- + filelen + pagfext_len + 1)) == NULL)
+ if ((dirname = (char *) malloc(filelen + dirfext_len
+ + filelen + pagfext_len)) == NULL)
return errno = ENOMEM, (DBM *) NULL;
/*
* build the file names
*/
memcpy(dirname, file, filelen);
- memcpy(dirname + filelen, DIRFEXT, dirfext_len + 1);
- pagname = dirname + filelen + dirfext_len + 1;
+ memcpy(dirname + filelen, DIRFEXT, dirfext_len); // global-buffer-overflow - one right of ".dir"
+ pagname = dirname + filelen + dirfext_len;
memcpy(pagname, file, filelen);
- memcpy(pagname + filelen, PAGFEXT, pagfext_len + 1);
+ memcpy(pagname + filelen, PAGFEXT, pagfext_len);
db = sdbm_prep(dirname, pagname, flags, mode);
free((char *) dirname);
diff --git a/ext/SDBM_File/sdbm/sdbm.h b/ext/SDBM_File/sdbm/sdbm.h
index 2b8d0e9..37a4a26 100644
--- a/ext/SDBM_File/sdbm/sdbm.h
+++ b/ext/SDBM_File/sdbm/sdbm.h
@@ -10,11 +10,11 @@
#define SPLTMAX 10 /* maximum allowed splits */
/* for a single insertion */
#ifdef VMS
-#define DIRFEXT ".sdbm_dir"
+#define DIRFEXT ".sdbm_dir\0"
#else
-#define DIRFEXT ".dir"
+#define DIRFEXT ".dir\0"
#endif
-#define PAGFEXT ".pag"
+#define PAGFEXT ".pag\0"
typedef struct {
int dirf; /* directory file descriptor */
--
1.7.5.4
|
The RT System itself - Status changed from 'new' to 'open' |
From @craigberry
Good catch. The bug came in here: http://perl5.git.perl.org/perl.git/commit/081f72ad6fa2b76e0b3cd9046371b2dbd9130114 where we started calculating lengths with sizeof on string constants
That much looks good to me (except for the C++-style comment). I
but I don't understand this at all. There is already a null byte at So my revision of your patch would simply be the attached. Does that |
From @craigberry111586_followup.patchdiff --git a/ext/SDBM_File/sdbm/sdbm.c b/ext/SDBM_File/sdbm/sdbm.c
index c554e52..46be83e 100644
--- a/ext/SDBM_File/sdbm/sdbm.c
+++ b/ext/SDBM_File/sdbm/sdbm.c
@@ -78,8 +78,8 @@ sdbm_open(register char *file, register int flags, register int mode)
register char *dirname;
register char *pagname;
size_t filelen;
- const size_t dirfext_len = sizeof(DIRFEXT "");
- const size_t pagfext_len = sizeof(PAGFEXT "");
+ const size_t dirfext_size = sizeof(DIRFEXT "");
+ const size_t pagfext_size = sizeof(PAGFEXT "");
if (file == NULL || !*file)
return errno = EINVAL, (DBM *) NULL;
@@ -88,17 +88,17 @@ sdbm_open(register char *file, register int flags, register int mode)
*/
filelen = strlen(file);
- if ((dirname = (char *) malloc(filelen + dirfext_len + 1
- + filelen + pagfext_len + 1)) == NULL)
+ if ((dirname = (char *) malloc(filelen + dirfext_size
+ + filelen + pagfext_size)) == NULL)
return errno = ENOMEM, (DBM *) NULL;
/*
* build the file names
*/
memcpy(dirname, file, filelen);
- memcpy(dirname + filelen, DIRFEXT, dirfext_len + 1);
- pagname = dirname + filelen + dirfext_len + 1;
+ memcpy(dirname + filelen, DIRFEXT, dirfext_size);
+ pagname = dirname + filelen + dirfext_size;
memcpy(pagname, file, filelen);
- memcpy(pagname + filelen, PAGFEXT, pagfext_len + 1);
+ memcpy(pagname + filelen, PAGFEXT, pagfext_size);
db = sdbm_prep(dirname, pagname, flags, mode);
free((char *) dirname);
|
From @rurbanAm 06.03.2012 um 19:26 schrieb Craig Berry via RT:
Yeah, sorry. I forgot to clear that before doing git add.
I know that string constants already include the final \0 but it made the code clearer to me.
I hope that I can test it today. But I'll be out of office from today noon for the next two weeks, -- |
From @rurbanOn Thu, Mar 8, 2012 at 7:07 AM, Reini Urban <rurban@cpanel.net> wrote:
111586_followup.patch tested ok, GTG |
From @craigberryOn Thu, Mar 8, 2012 at 8:23 AM, Reini Urban <rurban@x-ray.at> wrote:
Thanks, applied: http://perl5.git.perl.org/perl.git/commitdiff/acdbe25bd91bf897e0cf373b91ab0814e21c4860 |
@cpansprout - Status changed from 'open' to 'resolved' |
Migrated from rt.perl.org#111586 (status was 'resolved')
Searchable as RT111586$
The text was updated successfully, but these errors were encountered: