[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Octave-bug-tracker] [bug #51533] heap-buffer-overflow in Sparse.cc-tst
From: |
Rik |
Subject: |
[Octave-bug-tracker] [bug #51533] heap-buffer-overflow in Sparse.cc-tst |
Date: |
Sun, 23 Jul 2017 20:36:30 -0400 (EDT) |
User-agent: |
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0 |
Update of bug #51533 (project octave):
Status: Works For Me => In Progress
_______________________________________________________
Follow-up Comment #9:
I reviewed lex.ll and the heap buffer overflow supposedly occurs with a read
supposedly on this line of code.
function_text += "\n";
I suspect that it actually is the line before, but the error reporting is
slightly off.
if (current_input_line[current_input_line.length () - 1] != '\n')
This could cause a problem if, for example, current_input_line was empty so
that the length was 0. In this case the index would be [-1] which could
trigger this.
To debug this I modified the code slightly (there is a diff attached to the
bug report). Could you apply the diff with "patch -p1 < lex.diff", rebuild,
and then run "test liboctave/array/Sparse.cc-tst" as before. Even if it
segfaults, I expect the diagnostics will be better and be localized to the
'char c' line.
diff -r f864950f837c libinterp/parse-tree/lex.ll
--- a/libinterp/parse-tree/lex.ll Sun Jul 23 10:33:40 2017 -0700
+++ b/libinterp/parse-tree/lex.ll Sun Jul 23 17:28:37 2017 -0700
@@ -3663,8 +3663,12 @@ namespace octave
if (buffer_function_text)
{
function_text += current_input_line;
- if (current_input_line[current_input_line.length () - 1] !=
'\n')
- function_text += "\n";
+ if (current_input_line.length () > 0)
+ {
+ char c = current_input_line[current_input_line.length () -
1];
+ if (c != '\n')
+ function_text += "\n";
+ }
}
}
(file #41308)
_______________________________________________________
Additional Item Attachment:
File name: lex.diff Size:0 KB
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/bugs/?51533>
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
- [Octave-bug-tracker] [bug #51533] heap-buffer-overflow in Sparse.cc-tst, Dmitri A. Sergatskov, 2017/07/21
- [Octave-bug-tracker] [bug #51533] heap-buffer-overflow in Sparse.cc-tst, Dmitri A. Sergatskov, 2017/07/21
- [Octave-bug-tracker] [bug #51533] heap-buffer-overflow in Sparse.cc-tst, Rik, 2017/07/22
- [Octave-bug-tracker] [bug #51533] heap-buffer-overflow in Sparse.cc-tst, Dmitri A. Sergatskov, 2017/07/22
- [Octave-bug-tracker] [bug #51533] heap-buffer-overflow in Sparse.cc-tst, Dmitri A. Sergatskov, 2017/07/22
- [Octave-bug-tracker] [bug #51533] heap-buffer-overflow in Sparse.cc-tst, Dmitri A. Sergatskov, 2017/07/22
- [Octave-bug-tracker] [bug #51533] heap-buffer-overflow in Sparse.cc-tst, Dmitri A. Sergatskov, 2017/07/22
- [Octave-bug-tracker] [bug #51533] heap-buffer-overflow in Sparse.cc-tst, Rik, 2017/07/22
- [Octave-bug-tracker] [bug #51533] heap-buffer-overflow in Sparse.cc-tst, Dmitri A. Sergatskov, 2017/07/22
- [Octave-bug-tracker] [bug #51533] heap-buffer-overflow in Sparse.cc-tst,
Rik <=
- [Octave-bug-tracker] [bug #51533] heap-buffer-overflow in Sparse.cc-tst, Dmitri A. Sergatskov, 2017/07/23
- [Octave-bug-tracker] [bug #51533] heap-buffer-overflow in Sparse.cc-tst, Rik, 2017/07/23