rpms / systemtap

Clone
Source Code
GIT

Blame SOURCES/rhbz1153673.patch

c4 c5 c5-plus c6 c6-plus c7 c7-aarch64 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   4b5dfb7597e4b6ed82ba36730100d3665689855c
  2.   SOURCES
  3.   rhbz1153673.patch
Blob History Raw
eb15f5 
commit a1a230af2ea557ed7a9fcd9485ac16278dbdf778
eb15f5 
Author: Frank Ch. Eigler <fche@redhat.com>
eb15f5 
Date:   Thu Oct 16 16:25:55 2014 -0400
eb15f5
eb15f5 
    RHBZ1153673: speculatively correct segv in dead_control_remover
eb15f5
eb15f5 
    It was reported that ::visit_block was occasionally called with
eb15f5 
    a 0-size input vs[].  That leads to an array overflow, as the
eb15f5 
    for condition becomes apprx. (i < UINT_MAX).
eb15f5
eb15f5 
       for (size_t i = 0; i < vs.size() - 1; ++i)
eb15f5 
         do_something_with (vs[i]);
eb15f5
eb15f5 
    Let's reject 0-size vectors right away.
eb15f5
eb15f5 
diff --git a/elaborate.cxx b/elaborate.cxx
eb15f5 
index fa90fe7..35109ab 100644
eb15f5 
--- a/elaborate.cxx
eb15f5 
+++ b/elaborate.cxx
eb15f5 
@@ -4041,6 +4041,8 @@ struct dead_control_remover: public traversing_visitor
eb15f5 
 void dead_control_remover::visit_block (block* b)
eb15f5 
 {
eb15f5 
   vector<statement*>& vs = b->statements;
eb15f5 
+  if (vs.size() == 0) /* else (size_t) size()-1 => very big */
eb15f5 
+    return;
eb15f5 
   for (size_t i = 0; i < vs.size() - 1; ++i)
eb15f5 
     {
eb15f5 
       vs[i]->visit (this);

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation