[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Chicken-janitors] #1216: string-ref specialization elides range check
From: |
Chicken Trac |
Subject: |
[Chicken-janitors] #1216: string-ref specialization elides range check |
Date: |
Wed, 26 Aug 2015 20:09:15 -0000 |
#1216: string-ref specialization elides range check
-------------------------+---------------------
Reporter: syn | Owner:
Type: defect | Status: new
Priority: major | Milestone: someday
Component: scrutinizer | Version: 4.10.x
Keywords: |
-------------------------+---------------------
The {{{types.db}}} entry for {{{string-ref}}} currently looks like this:
{{{
(string-ref (#(procedure #:clean #:enforce) string-ref (string fixnum)
char)
((string fixnum) (##core#inline "C_subchar" #(1) #(2))))
}}}
However, unlike {{{C_subchar}}}, the unspecialized version of {{{string-
ref}}} (which is really {{{C_i_string_ref}}}) doesn't just check its
argument type but also whether the {{{fixnum}}} argument is within range
of the {{{string}}} argument. Thus, the specialization may result in
buffer overruns, posing a potential vulnerability.
--
Ticket URL: <http://bugs.call-cc.org/ticket/1216>
CHICKEN Scheme <http://www.call-cc.org/>
CHICKEN Scheme is a compiler for the Scheme programming language.
- [Chicken-janitors] #1216: string-ref specialization elides range check,
Chicken Trac <=