[debbugs-tracker] bug#18269: closed (incorrect undossify

emacs-bug-tracker

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[debbugs-tracker] bug#18269: closed (incorrect undossify_input prototype

From:	GNU bug Tracking System
Subject:	[debbugs-tracker] bug#18269: closed (incorrect undossify_input prototype - possible integer overflow)
Date:	Fri, 15 Aug 2014 01:42:02 +0000

Your message dated Thu, 14 Aug 2014 18:41:32 -0700
with message-id <address@hidden>
and subject line Re: bug#18269: incorrect undossify_input prototype - possible 
integer overflow
has caused the debbugs.gnu.org bug report #18269,
regarding incorrect undossify_input prototype - possible integer overflow
to be marked as done.

(If you believe you have received this mail in error, please contact
address@hidden)


-- 
18269: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=18269
GNU Bug Tracking System
Contact address@hidden with problems

--- Begin Message --- Subject: incorrect undossify_input prototype - possible integer overflow Date: Fri, 15 Aug 2014 02:56:19 +0200 User-agent: Mutt/1.5.23-6361-vl-r59709 (2014-07-25)

In grep 2.20, grep.c contains:

  ssize_t fillsize;
  size_t readsize;
[...]
  fillsize = safe_read (bufdesc, readbuf, readsize);
  if (fillsize < 0)
    fillsize = cc = 0;
  bufoffset += fillsize;
  fillsize = undossify_input (readbuf, fillsize);

In practice, readsize can be large on a 64-bit machine (more than
2 GB), so that the return value of safe_read(), fillsize, can also
be large since a read() is called with readsize as the 3rd argument.
But dosbuf.c has:

static int
undossify_input (char *buf, size_t buflen)
{
  if (! O_BINARY)
    return buflen;
[...]

meaning that the potentially large buflen (> 2 GB) is returned as an
int, whose usual size is 32 bits only, yielding an integer overflow.

undossify_input should be rewritten in such a way that some int's are
changed to size_t or ssize_t.

Note: This bug is currently not visible under Linux due to a limitation
in the kernel (breaking POSIX compliance, BTW): the read() return value
is limited to 0x7ffff000.

-- 
Vincent Lefèvre <address@hidden> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

--- End Message ---

--- Begin Message --- Subject: Re: bug#18269: incorrect undossify_input prototype - possible integer overflow Date: Thu, 14 Aug 2014 18:41:32 -0700 User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.0 Thanks for reporting that. Plus, there's a related bug in the use ofsafe_read. I fixed them both with the attached patch.
0001-grep-fix-integer-width-bugs-in-undossify_input-etc.patch
Description: Text document

--- End Message ---

[Prev in Thread]

Current Thread

[Next in Thread]

[debbugs-tracker] bug#18269: closed (incorrect undossify_input prototype - possible integer overflow), GNU bug Tracking System <=

Prev by Date: [debbugs-tracker] Processed: SHR: base handling broken (shr-parse-base, shr-expand-url)
Next by Date: [debbugs-tracker] Processed: Re: bug#18273: sort seems to misbehave if both -u and -n or -k are used
Previous by thread: [debbugs-tracker] Processed: SHR: base handling broken (shr-parse-base, shr-expand-url)
Next by thread: [debbugs-tracker] Processed: Re: bug#18273: sort seems to misbehave if both -u and -n or -k are used
Index(es):
- Date
- Thread