[libunwind] src/os-linux.h: scan_dec() and scan

libunwind-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[libunwind] src/os-linux.h: scan_dec() and scan_char() may step past nul

From:	Mark Young
Subject:	[libunwind] src/os-linux.h: scan_dec() and scan_char() may step past null ter minator
Date:	Tue, 8 Jun 2004 18:18:01 -0700

David,

The string scanning routines scan_dec() and scan_char() in src/os-linux.h may 
step past the null character terminating a string and access invalid data or 
cause a SIGSEGV.

These routines are called from maps_next(), also in src/os-linux.h, to parse 
lines from the process map, /proc/<pid>/maps. On x86_64 some map lines end at 
the inum field, without a following path name. When scan_dec() reaches the end 
of the inum field, it advances cp past the terminator character. Subsequently 
scan_string() accesses invalid data past the terminator and ultimately reads 
beyond the end of the allocated buffer. By examination it is apparent that the 
scan_char() routine has a similar flaw.

scan_dec() should probably not advance cp beyond any non-digit character it 
encounters. scan_char() should not advance cp past a null character.

--Mark



-- 

address@hidden <mailto:address@hidden>

[Prev in Thread]

Current Thread

[Next in Thread]

[libunwind] src/os-linux.h: scan_dec() and scan_char() may step past null ter minator, Mark Young <=
- [libunwind] Re: src/os-linux.h: scan_dec() and scan_char() may step past null ter minator, David Mosberger, 2004/06/09

Prev by Date: Re: [libunwind] x86-64 patch for libunwind v0.97
Next by Date: [libunwind] dwarf fixes: searching the table in eh_frame_hdr
Previous by thread: Re: [libunwind] x86-64 patch for libunwind v0.97
Next by thread: [libunwind] Re: src/os-linux.h: scan_dec() and scan_char() may step past null ter minator
Index(es):
- Date
- Thread