rpms / cscope

Clone
Source Code
GIT

Blame SOURCES/cscope-9-fix-access-beyond-end-of-string.patch

c4 c5 c5-plus c6 c6-plus c7 c7-beta c8 c8-beta c8s c9 c9-beta
  1.   a70d0e2b9ca7d102e1ba3cf42ce278e5ec3b1d4c
  2.   SOURCES
  3.   cscope-9-fix-access-beyond-end-of-string.patch
Blob History Raw
a70d0e 
From b3ab5461f1a02aa0a07a6f50bc2fa4da057193d1 Mon Sep 17 00:00:00 2001
a70d0e 
From: Dominique <dominique.pelle@gmail.com>
a70d0e 
Date: Sun, 8 May 2022 08:27:32 +0200
a70d0e 
Subject: [PATCH 1/2] fix: access beyond end of string when search called by
a70d0e 
 fails
a70d0e 
Content-type: text/plain
a70d0e
a70d0e 
findcalledby() returned a string which was not '\0' terminated.
a70d0e 
That string is later output with the snprintf %s format which
a70d0e 
accessed beyond the end of the string. Bug caused a crash on macOS
a70d0e 
with M1 processor and was also causing a crash on Linux too when
a70d0e 
building with asan (address sanitizer).
a70d0e
a70d0e 
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
a70d0e 
---
a70d0e 
 src/find.c | 12 ++++++------
a70d0e 
 1 file changed, 6 insertions(+), 6 deletions(-)
a70d0e
a70d0e 
diff --git a/src/find.c b/src/find.c
a70d0e 
index d7a66f0..e8f1141 100644
a70d0e 
--- a/src/find.c
a70d0e 
+++ b/src/find.c
a70d0e 
@@ -1044,7 +1044,7 @@ char *
a70d0e 
 findcalledby(char *pattern)
a70d0e 
 {
a70d0e 
 	char	file[PATHLEN + 1];	/* source file name */
a70d0e 
-	static char found_caller = 'n'; /* seen calling function? */
a70d0e 
+	static char found_caller[2] = "n"; /* seen calling function? */
a70d0e 
 	BOOL	macro = NO;
a70d0e
a70d0e 
 	if (invertedindex == YES) {
a70d0e 
@@ -1057,12 +1057,12 @@ findcalledby(char *pattern)
a70d0e 
 			case FCNDEF:
a70d0e 
 				if (dbseek(p->lineoffset) != -1 &&
a70d0e 
 				    scanpast('\t') != NULL) {	/* skip def */
a70d0e 
-					found_caller = 'y';
a70d0e 
+					found_caller[0] = 'y';
a70d0e 
 					findcalledbysub(srcfiles[p->fileindex], macro);
a70d0e 
 				}
a70d0e 
 			}
a70d0e 
 		}
a70d0e 
-		return(&found_caller);
a70d0e 
+		return(&found_caller[0]);
a70d0e 
 	}
a70d0e 
 	/* find the function definition(s) */
a70d0e 
 	while (scanpast('\t') != NULL) {
a70d0e 
@@ -1072,7 +1072,7 @@ findcalledby(char *pattern)
a70d0e 
 			skiprefchar();	/* save file name */
a70d0e 
 			fetch_string_from_dbase(file, sizeof(file));
a70d0e 
 			if (*file == '\0') {	/* if end of symbols */
a70d0e 
-				return(&found_caller);
a70d0e 
+				return(&found_caller[0]);
a70d0e 
 			}
a70d0e 
 			progress("Search", searchcount, nsrcfiles);
a70d0e 
 			break;
a70d0e 
@@ -1087,14 +1087,14 @@ findcalledby(char *pattern)
a70d0e 
 		case FCNDEF:
a70d0e 
 			skiprefchar();	/* match name to pattern */
a70d0e 
 			if (match()) {
a70d0e 
-				found_caller = 'y';
a70d0e 
+				found_caller[0] = 'y';
a70d0e 
 				findcalledbysub(file, macro);
a70d0e 
 			}
a70d0e 
 			break;
a70d0e 
 		}
a70d0e 
 	}
a70d0e
a70d0e 
-	return (&found_caller);
a70d0e 
+	return (&found_caller[0]);
a70d0e 
 }
a70d0e
a70d0e 
 /* find this term, which can be a regular expression */
a70d0e 
--
a70d0e 
2.37.3
a70d0e

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation