[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Guile-commits] 01/01: Fix buffer overrun with unbuffered custom binary
From: |
Ludovic Courtès |
Subject: |
[Guile-commits] 01/01: Fix buffer overrun with unbuffered custom binary input ports. |
Date: |
Sun, 18 Jan 2015 21:06:05 +0000 |
civodul pushed a commit to branch stable-2.0
in repository guile.
commit ed72201a795ac1c8d6c0288b6bb710f2bd0ebd9c
Author: Ludovic Courtès <address@hidden>
Date: Sun Jan 18 21:52:48 2015 +0100
Fix buffer overrun with unbuffered custom binary input ports.
Fixes <http://bugs.gnu.org/19621>.
Before that, in 'cbip_fill_input', BUFFERED would be set to 0 when
reading from 'scm_getc' et al, because 'shortbuf' was being used. Thus,
we could eventually execute this line:
/* Copy the data back to the internal buffer. */
memcpy ((char *) c_port->read_pos, SCM_BYTEVECTOR_CONTENTS (bv),
c_octets);
But 'read_pos' would quickly point to the fields beyond 'shortbuf',
thereby leading to a corruption of the 'scm_t_port' itself.
* libguile/r6rs-ports.c (cbip_setvbuf): When READ_SIZE is 0, keep using
BV as the 'read_buf'.
(cbip_fill_input): Adjust assertion to accept 'read_buf_size = 1'.
* test-suite/tests/r6rs-ports.test ("7.2.7 Input Ports")["custom binary
input port unbuffered & 'get-string-all'", "custom binary input port
unbuffered UTF-8 & 'get-string-all'"]: New tests.
---
libguile/r6rs-ports.c | 17 ++++++++++-------
test-suite/tests/r6rs-ports.test | 33 ++++++++++++++++++++++++++++++++-
2 files changed, 42 insertions(+), 8 deletions(-)
diff --git a/libguile/r6rs-ports.c b/libguile/r6rs-ports.c
index 83f8996..93171f0 100644
--- a/libguile/r6rs-ports.c
+++ b/libguile/r6rs-ports.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2009, 2010, 2011, 2013, 2014 Free Software Foundation, Inc.
+/* Copyright (C) 2009, 2010, 2011, 2013-2015 Free Software Foundation, Inc.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public License
@@ -307,9 +307,10 @@ cbip_setvbuf (SCM port, long read_size, long write_size)
switch (read_size)
{
case 0:
- /* Unbuffered: keep PORT's bytevector as is (it will be used in
- future 'scm_c_read' calls), but point to the one-byte buffer. */
- pt->read_buf = &pt->shortbuf;
+ /* Unbuffered: keep using PORT's bytevector as the underlying
+ buffer (it will also be used by future 'scm_c_read' calls.) */
+ assert (SCM_BYTEVECTOR_LENGTH (bv) >= 1);
+ pt->read_buf = (unsigned char *) SCM_BYTEVECTOR_CONTENTS (bv);
pt->read_buf_size = 1;
break;
@@ -404,9 +405,11 @@ cbip_fill_input (SCM port)
if (buffered)
{
- /* Make sure the buffer isn't corrupt. BV can be passed directly
- to READ_PROC. */
- assert (c_port->read_buf_size == SCM_BYTEVECTOR_LENGTH (bv));
+ /* Make sure the buffer isn't corrupt. Its size can be 1 when
+ someone called 'setvbuf' with _IONBF. BV can be passed
+ directly to READ_PROC. */
+ assert (c_port->read_buf_size == SCM_BYTEVECTOR_LENGTH (bv)
+ || c_port->read_buf_size == 1);
c_port->read_pos = (unsigned char *) SCM_BYTEVECTOR_CONTENTS (bv);
}
else
diff --git a/test-suite/tests/r6rs-ports.test b/test-suite/tests/r6rs-ports.test
index dba8036..e5f1266 100644
--- a/test-suite/tests/r6rs-ports.test
+++ b/test-suite/tests/r6rs-ports.test
@@ -1,6 +1,6 @@
;;;; r6rs-ports.test --- R6RS I/O port tests. -*- coding: utf-8; -*-
;;;;
-;;;; Copyright (C) 2009, 2010, 2011, 2012, 2014 Free Software Foundation, Inc.
+;;;; Copyright (C) 2009-2012, 2014-2015 Free Software Foundation, Inc.
;;;; Ludovic Courtès
;;;;
;;;; This library is free software; you can redistribute it and/or
@@ -557,6 +557,37 @@ not `set-port-position!'"
obj))
ret)))))
+ (pass-if-equal "custom binary input port unbuffered & 'get-string-all'"
+ (make-string 1000 #\a)
+ ;; In Guile 2.0.11 this test would lead to a buffer overrun followed
+ ;; by an assertion failure. See <http://bugs.gnu.org/19621>.
+ (let* ((input (with-fluids ((%default-port-encoding #f))
+ (open-input-string (make-string 1000 #\a))))
+ (read! (lambda (bv index count)
+ (let ((n (get-bytevector-n! input bv index
+ count)))
+ (if (eof-object? n) 0 n))))
+ (port (make-custom-binary-input-port "foo" read!
+ #f #f #f)))
+ (setvbuf port _IONBF)
+ (get-string-all port)))
+
+ (pass-if-equal "custom binary input port unbuffered UTF-8 & 'get-string-all'"
+ (make-string 1000 #\λ)
+ ;; In Guile 2.0.11 this test would lead to a buffer overrun followed
+ ;; by an assertion failure. See <http://bugs.gnu.org/19621>.
+ (let* ((input (with-fluids ((%default-port-encoding "UTF-8"))
+ (open-input-string (make-string 1000 #\λ))))
+ (read! (lambda (bv index count)
+ (let ((n (get-bytevector-n! input bv index
+ count)))
+ (if (eof-object? n) 0 n))))
+ (port (make-custom-binary-input-port "foo" read!
+ #f #f #f)))
+ (setvbuf port _IONBF)
+ (set-port-encoding! port "UTF-8")
+ (get-string-all port)))
+
(pass-if-equal "custom binary input port, unbuffered then buffered"
`((6 "Lorem ") (12 "ipsum dolor ") (777 "sit amet, consectetur…")
(777 ,(eof-object)))