Closed lometsj closed 3 years ago
Indeed. I wonder if --k
has any purpose at all, even without hitting overflow.
I think there are more problems. The assignment of '.' might be outside the buffer. --k
accounts for the .
. EDIT: no, there is one extra space reserved for that.
yes, i agree --k
accounts for the .
Please review last commit on master: 8a90c92
BTW: it is rather strange that the compiler did not warn about this.
~~it seems not solve memcpy's copy overflow
actually the stack overflow happens on the next loop after truncated
in my opinion
just mod while (p && k>0)
to
while(p && k>0 && k<0x8000000000000000)
~~
EDIT:
sorry for mistake.
it seems ok for solving it.
compiler did not warn because it don't know the value of n0
, n
on the runtime
memcpy(buf + n0, p->ident->text, n);
Sorry, but your suggestion is not good because it depends on the integer size.
The following was written before your last EDIT, FYI. So I will close here.
Why do you think an overflow still happens? Does your test still fail?
The invariant is that k is what is left in the buffer. In the new version, k > 0 on entry. If '.' is added, k could become zero. However, n will not be larger than k when entering memcpy, so worst case, 0 bytes are copied, which will not result in a buffer overrun. At least as I understand it.
The compiler could have warned that the test <= 0 does not make sense. There are many other places where the compiler warns even if the code actually makes sense.
It's getting late, so I'll continue tomorrow if you have some suggestions.
Thanks for reporting.
in parser.c k seems like the size of the rest of buffer on stack(var 'buf' which type is char[]). n is memcpy size as 3rd para.
while
condition k>0 to keep buffer is not full. if enter inif(k<n)
branchn=k
,var n is assigned the value of k thenk -=n
,var k is assigned the value 0 then--k
, var k is assigned the value 0xffffffffffffffff while var k's type is size_t. so the while conditionk > 0
not make sense. next memcpy will lead to stack overflowpoc: