DragonFly bugs List (threaded) for 2004-11
[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index][Thread Index]

Re: Possible bug in make

From:	Matthew Dillon <dillon@xxxxxxxxxxxxxxxxxxxx>
Date:	Sun, 14 Nov 2004 12:08:59 -0800 (PST)

:In function Arch_ParseArchive() line 349, there is a possible buffer
:over run.  I don't have a test case, but the grow buffer code
:has an inverted test.
:
:             Lst   members = Lst_Init(FALSE);
:             char  *member;
:             size_t sz = MAXPATHLEN;
:             size_t nsz;
:             nameBuf = emalloc(sz);
:
:             Dir_Expand(memName, dirSearchPath, members);
:             while (!Lst_IsEmpty(members)) {
:                 member = (char *)Lst_DeQueue(members);
:                 nsz = strlen(libName) + strlen(member) + 3;
:                 if (sz > nsz)
:                         nameBuf = erealloc(nameBuf, sz = nsz * 2);
:		^^^^^^^^^^^^^
:Test is backwards.  nameBuf should be reallocated if (sz < nsz).
:
:
:                 snprintf(nameBuf, sz, "%s(%s)", libName, member);
:                 free(member);
:                 gn = Targ_FindNode (nameBuf, TARG_CREATE);
:                 if (gn == NULL) {
:                     free(nameBuf);

    The test is definitely backwards, but fortunately there is no 
    buffer overflow because the snprintf() is using 'sz' as the
    size limitation. 

    I'll clean it up.  The embedded sz = nsz * 2 is also pretty bad
    style.

					-Matt
					Matthew Dillon 
					<dillon@xxxxxxxxxxxxx>

References:
- Possible bug in make
  - From: Max Okumoto

[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index][Thread Index]