Possible bug in make
Matthew Dillon
dillon at apollo.backplane.com
Sun Nov 14 12:09:43 PST 2004
:In function Arch_ParseArchive() line 349, there is a possible buffer
:over run. I don't have a test case, but the grow buffer code
:has an inverted test.
:
: Lst members = Lst_Init(FALSE);
: char *member;
: size_t sz = MAXPATHLEN;
: size_t nsz;
: nameBuf = emalloc(sz);
:
: Dir_Expand(memName, dirSearchPath, members);
: while (!Lst_IsEmpty(members)) {
: member = (char *)Lst_DeQueue(members);
: nsz = strlen(libName) + strlen(member) + 3;
: if (sz > nsz)
: nameBuf = erealloc(nameBuf, sz = nsz * 2);
: ^^^^^^^^^^^^^
:Test is backwards. nameBuf should be reallocated if (sz < nsz).
:
:
: snprintf(nameBuf, sz, "%s(%s)", libName, member);
: free(member);
: gn = Targ_FindNode (nameBuf, TARG_CREATE);
: if (gn == NULL) {
: free(nameBuf);
The test is definitely backwards, but fortunately there is no
buffer overflow because the snprintf() is using 'sz' as the
size limitation.
I'll clean it up. The embedded sz = nsz * 2 is also pretty bad
style.
-Matt
Matthew Dillon
<dillon at xxxxxxxxxxxxx>
More information about the Bugs
mailing list