[PATCH] git log --pretty=format:%s HEAD^1..HEAD
#11988
Comments
From @rurbanThis is a bug report for perl from rurban@cpanel.net, From 657a387f083d6c36982ccecb1aa8df45426401ac Mon Sep 17 00:00:00 2001 Detected by clang -faddress-sanitizer ext/SDBM_File/sdbm/sdbm.c | 10 +++++----- Inline Patchdiff --git a/ext/SDBM_File/sdbm/sdbm.c b/ext/SDBM_File/sdbm/sdbm.c
index c554e52..83f277f 100644
--- a/ext/SDBM_File/sdbm/sdbm.c
+++ b/ext/SDBM_File/sdbm/sdbm.c
@@ -88,17 +88,17 @@ sdbm_open(register char *file, register int flags, register int mode)
*/
filelen = strlen(file);
- if ((dirname = (char *) malloc(filelen + dirfext_len + 1
- + filelen + pagfext_len + 1)) == NULL)
+ if ((dirname = (char *) malloc(filelen + dirfext_len
+ + filelen + pagfext_len)) == NULL)
return errno = ENOMEM, (DBM *) NULL;
/*
* build the file names
*/
memcpy(dirname, file, filelen);
- memcpy(dirname + filelen, DIRFEXT, dirfext_len + 1);
- pagname = dirname + filelen + dirfext_len + 1;
+ memcpy(dirname + filelen, DIRFEXT, dirfext_len); // global-buffer-overflow - one right of ".dir"
+ pagname = dirname + filelen + dirfext_len;
memcpy(pagname, file, filelen);
- memcpy(pagname + filelen, PAGFEXT, pagfext_len + 1);
+ memcpy(pagname + filelen, PAGFEXT, pagfext_len);
db = sdbm_prep(dirname, pagname, flags, mode);
free((char *) dirname);
diff --git a/ext/SDBM_File/sdbm/sdbm.h b/ext/SDBM_File/sdbm/sdbm.h
index 2b8d0e9..37a4a26 100644
--- a/ext/SDBM_File/sdbm/sdbm.h
+++ b/ext/SDBM_File/sdbm/sdbm.h
@@ -10,11 +10,11 @@
#define SPLTMAX 10 /* maximum allowed splits */
/* for a single insertion */
#ifdef VMS
-#define DIRFEXT ".sdbm_dir"
+#define DIRFEXT ".sdbm_dir\0"
#else
-#define DIRFEXT ".dir"
+#define DIRFEXT ".dir\0"
#endif
-#define PAGFEXT ".pag"
+#define PAGFEXT ".pag\0"
typedef struct {
int dirf; /* directory file descriptor */
--
Flags: Site configuration information for perl 5.15.7: Configured by rurban at Sun Jan 22 12:13:34 CST 2012. Summary of my perl5 (revision 5 version 15 subversion 7) configuration: Locally applied patches: @INC for perl 5.15.7: Environment for perl 5.15.7: |
From @rurbanThe attached patch is better, without the temp. comment at the code On Tue, Mar 6, 2012 at 1:53 PM, rurban@cpanel.net
-- |
From @rurban0001-sdbm.c-fix-off-by-one-access-to-global-.dir.patchFrom 10e8459488fb0f1b63f50421cdec7d3a1de64691 Mon Sep 17 00:00:00 2001
From: Reini Urban <rurban@x-ray.at>
Date: Tue, 6 Mar 2012 13:46:15 -0600
Subject: [PATCH] sdbm.c: fix off-by-one access to global ".dir"
Detected by clang -faddress-sanitizer
---
ext/SDBM_File/sdbm/sdbm.c | 10 +++++-----
ext/SDBM_File/sdbm/sdbm.h | 6 +++---
2 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/ext/SDBM_File/sdbm/sdbm.c b/ext/SDBM_File/sdbm/sdbm.c
index c554e52..83f277f 100644
--- a/ext/SDBM_File/sdbm/sdbm.c
+++ b/ext/SDBM_File/sdbm/sdbm.c
@@ -88,17 +88,17 @@ sdbm_open(register char *file, register int flags, register int mode)
*/
filelen = strlen(file);
- if ((dirname = (char *) malloc(filelen + dirfext_len + 1
- + filelen + pagfext_len + 1)) == NULL)
+ if ((dirname = (char *) malloc(filelen + dirfext_len
+ + filelen + pagfext_len)) == NULL)
return errno = ENOMEM, (DBM *) NULL;
/*
* build the file names
*/
memcpy(dirname, file, filelen);
- memcpy(dirname + filelen, DIRFEXT, dirfext_len + 1);
- pagname = dirname + filelen + dirfext_len + 1;
+ memcpy(dirname + filelen, DIRFEXT, dirfext_len); // global-buffer-overflow - one right of ".dir"
+ pagname = dirname + filelen + dirfext_len;
memcpy(pagname, file, filelen);
- memcpy(pagname + filelen, PAGFEXT, pagfext_len + 1);
+ memcpy(pagname + filelen, PAGFEXT, pagfext_len);
db = sdbm_prep(dirname, pagname, flags, mode);
free((char *) dirname);
diff --git a/ext/SDBM_File/sdbm/sdbm.h b/ext/SDBM_File/sdbm/sdbm.h
index 2b8d0e9..37a4a26 100644
--- a/ext/SDBM_File/sdbm/sdbm.h
+++ b/ext/SDBM_File/sdbm/sdbm.h
@@ -10,11 +10,11 @@
#define SPLTMAX 10 /* maximum allowed splits */
/* for a single insertion */
#ifdef VMS
-#define DIRFEXT ".sdbm_dir"
+#define DIRFEXT ".sdbm_dir\0"
#else
-#define DIRFEXT ".dir"
+#define DIRFEXT ".dir\0"
#endif
-#define PAGFEXT ".pag"
+#define PAGFEXT ".pag\0"
typedef struct {
int dirf; /* directory file descriptor */
--
1.7.5.4
|
|
The RT System itself - Status changed from 'new' to 'open' |
From @craigberry
Good catch. The bug came in here: http://perl5.git.perl.org/perl.git/commit/081f72ad6fa2b76e0b3cd9046371b2dbd9130114 where we started calculating lengths with sizeof on string constants
That much looks good to me (except for the C++-style comment). I
but I don't understand this at all. There is already a null byte at So my revision of your patch would simply be the attached. Does that |
From @craigberry111586_followup.patchdiff --git a/ext/SDBM_File/sdbm/sdbm.c b/ext/SDBM_File/sdbm/sdbm.c
index c554e52..46be83e 100644
--- a/ext/SDBM_File/sdbm/sdbm.c
+++ b/ext/SDBM_File/sdbm/sdbm.c
@@ -78,8 +78,8 @@ sdbm_open(register char *file, register int flags, register int mode)
register char *dirname;
register char *pagname;
size_t filelen;
- const size_t dirfext_len = sizeof(DIRFEXT "");
- const size_t pagfext_len = sizeof(PAGFEXT "");
+ const size_t dirfext_size = sizeof(DIRFEXT "");
+ const size_t pagfext_size = sizeof(PAGFEXT "");
if (file == NULL || !*file)
return errno = EINVAL, (DBM *) NULL;
@@ -88,17 +88,17 @@ sdbm_open(register char *file, register int flags, register int mode)
*/
filelen = strlen(file);
- if ((dirname = (char *) malloc(filelen + dirfext_len + 1
- + filelen + pagfext_len + 1)) == NULL)
+ if ((dirname = (char *) malloc(filelen + dirfext_size
+ + filelen + pagfext_size)) == NULL)
return errno = ENOMEM, (DBM *) NULL;
/*
* build the file names
*/
memcpy(dirname, file, filelen);
- memcpy(dirname + filelen, DIRFEXT, dirfext_len + 1);
- pagname = dirname + filelen + dirfext_len + 1;
+ memcpy(dirname + filelen, DIRFEXT, dirfext_size);
+ pagname = dirname + filelen + dirfext_size;
memcpy(pagname, file, filelen);
- memcpy(pagname + filelen, PAGFEXT, pagfext_len + 1);
+ memcpy(pagname + filelen, PAGFEXT, pagfext_size);
db = sdbm_prep(dirname, pagname, flags, mode);
free((char *) dirname);
|
From @rurbanAm 06.03.2012 um 19:26 schrieb Craig Berry via RT:
Yeah, sorry. I forgot to clear that before doing git add.
I know that string constants already include the final \0 but it made the code clearer to me.
I hope that I can test it today. But I'll be out of office from today noon for the next two weeks, -- |
From @rurbanOn Thu, Mar 8, 2012 at 7:07 AM, Reini Urban <rurban@cpanel.net> wrote:
111586_followup.patch tested ok, GTG |
From @craigberryOn Thu, Mar 8, 2012 at 8:23 AM, Reini Urban <rurban@x-ray.at> wrote:
Thanks, applied: http://perl5.git.perl.org/perl.git/commitdiff/acdbe25bd91bf897e0cf373b91ab0814e21c4860 |
|
@cpansprout - Status changed from 'open' to 'resolved' |
Migrated from rt.perl.org#111586 (status was 'resolved')
Searchable as RT111586$
The text was updated successfully, but these errors were encountered: