octave-bug-tracker
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Octave-bug-tracker] [bug #51533] heap-buffer-overflow in Sparse.cc-tst


From: Rik
Subject: [Octave-bug-tracker] [bug #51533] heap-buffer-overflow in Sparse.cc-tst
Date: Sun, 23 Jul 2017 20:36:30 -0400 (EDT)
User-agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0

Update of bug #51533 (project octave):

                  Status:            Works For Me => In Progress            

    _______________________________________________________

Follow-up Comment #9:

I reviewed lex.ll and the heap buffer overflow supposedly occurs with a read
supposedly on this line of code.


function_text += "\n";


I suspect that it actually is the line before, but the error reporting is
slightly off.


if (current_input_line[current_input_line.length () - 1] != '\n')


This could cause a problem if, for example, current_input_line was empty so
that the length was 0.  In this case the index would be [-1] which could
trigger this.

To debug this I modified the code slightly (there is a diff attached to the
bug report).  Could you apply the diff with "patch -p1 < lex.diff", rebuild,
and then run "test liboctave/array/Sparse.cc-tst" as before.  Even if it
segfaults, I expect the diagnostics will be better and be localized to the
'char c' line.


diff -r f864950f837c libinterp/parse-tree/lex.ll
--- a/libinterp/parse-tree/lex.ll       Sun Jul 23 10:33:40 2017 -0700
+++ b/libinterp/parse-tree/lex.ll       Sun Jul 23 17:28:37 2017 -0700
@@ -3663,8 +3663,12 @@ namespace octave
         if (buffer_function_text)
           {
             function_text += current_input_line;
-            if (current_input_line[current_input_line.length () - 1] !=
'\n')
-              function_text += "\n";
+            if (current_input_line.length () > 0)
+              {
+                char c = current_input_line[current_input_line.length () -
1];
+                if (c != '\n')
+                  function_text += "\n";
+              }
           }
       }




(file #41308)
    _______________________________________________________

Additional Item Attachment:

File name: lex.diff                       Size:0 KB


    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/bugs/?51533>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/




reply via email to

[Prev in Thread] Current Thread [Next in Thread]