Date: Thu, 12 Dec 2002 02:49:15 +0100 (CET) From: Stefan Farfeleder <stefan@fafoe.dyndns.org> To: FreeBSD-gnats-submit@FreeBSD.org Cc: e0026813@stud3.tuwien.ac.at Subject: bin/46203: [patch] make(1) missing trailing '\0' and accessing junk memory if '$' is at the end of line Message-ID: <20021212014915.CF16A78A@frog.fafoe>
next in thread | raw e-mail | index | archive | help
>Number: 46203
>Category: bin
>Synopsis: [patch] make(1) missing trailing '\0' and accessing junk memory if '$' is at the end of line
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Dec 11 17:50:01 PST 2002
>Closed-Date:
>Last-Modified:
>Originator: Stefan Farfeleder
>Release: FreeBSD 5.0-RC i386
>Organization:
>Environment:
System: FreeBSD frog.fafoe 5.0-RC FreeBSD 5.0-RC #5: Tue Dec 10 19:18:00 CET 2002 freebsd@frog.fafoe:/freebsd/current/obj/freebsd/current/src/sys/FROG i386
>Description:
The function Var_Subst() goes through every character in its argument
`str' and calls Var_Parse() if it finds a '$'. The latter function
stores the number of characters occupied by the '$' and the variable
name into *lengthPtr, which is then added to `str' in Var_Subst().
However, if Var_Parse() fails to parse the variable name after the '$',
*lengthPtr is always assigned the value 2. This causes `str' to be
pointing one behind the terminating '\0' if the '$' is immediately
followed by the '\0'. IOW, before var.c:1759 is executed, str == "$"
and length == 2, afterwards str is pointing to garbage.
>How-To-Repeat:
If no '\0' is in the memory owned by make following `str', a
segmentation fault will occur.
>Fix:
I'm fixing things inside Var_Parse() because it seems to be cleaner to
set length to 1 if str == "$" than to deal with it in Var_Subst().
[patch survived a buildworld]
--- make.diff begins here ---
Index: src/usr.bin/make/var.c
===================================================================
RCS file: /usr/home/ncvs/src/usr.bin/make/var.c,v
retrieving revision 1.40
diff -u -c -r1.40 var.c
*** src/usr.bin/make/var.c 8 Nov 2002 16:59:11 -0000 1.40
--- src/usr.bin/make/var.c 12 Dec 2002 00:23:10 -0000
***************
*** 801,807 ****
* The (possibly-modified) value of the variable or var_Error if the
* specification is invalid. The length of the specification is
* placed in *lengthPtr (for invalid specifications, this is just
! * 2...?).
* A Boolean in *freePtr telling whether the returned string should
* be freed by the caller.
*
--- 801,808 ----
* The (possibly-modified) value of the variable or var_Error if the
* specification is invalid. The length of the specification is
* placed in *lengthPtr (for invalid specifications, this is just
! * 2 to skip the '$' and the following letter, or 1 if '$' was the
! * last character in the string).
* A Boolean in *freePtr telling whether the returned string should
* be freed by the caller.
*
***************
*** 850,856 ****
v = VarFind (name, ctxt, FIND_ENV | FIND_GLOBAL | FIND_CMD);
if (v == (Var *)NULL) {
! *lengthPtr = 2;
if ((ctxt == VAR_CMD) || (ctxt == VAR_GLOBAL)) {
/*
--- 851,860 ----
v = VarFind (name, ctxt, FIND_ENV | FIND_GLOBAL | FIND_CMD);
if (v == (Var *)NULL) {
! if (str[1] != '\0')
! *lengthPtr = 2;
! else
! *lengthPtr = 1;
if ((ctxt == VAR_CMD) || (ctxt == VAR_GLOBAL)) {
/*
--- make.diff ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021212014915.CF16A78A>