* [PATCH] off-by-one bugs found by valgrind
@ 2005-12-21 20:35 Pavel Roskin
2005-12-21 20:59 ` Junio C Hamano
0 siblings, 1 reply; 5+ messages in thread
From: Pavel Roskin @ 2005-12-21 20:35 UTC (permalink / raw)
To: git
Insufficient memory is allocated in index-pack.c to hold the *.idx name.
One more byte should be allocated to hold the terminating 0.
quote_c_style_counted() in quote.c uses a dangerous construct, when a
variable is incremented once and used twice in the same expression.
Convert this construct to a more traditional form of the for loop.
Signed-off-by: Pavel Roskin <proski@gnu.org>
diff --git a/index-pack.c b/index-pack.c
index 785fe71..d4ce3af 100644
--- a/index-pack.c
+++ b/index-pack.c
@@ -440,7 +440,7 @@ int main(int argc, char **argv)
if (len < 5 || strcmp(pack_name + len - 5, ".pack"))
die("packfile name '%s' does not end with '.pack'",
pack_name);
- index_name_buf = xmalloc(len - 1);
+ index_name_buf = xmalloc(len);
memcpy(index_name_buf, pack_name, len - 5);
strcpy(index_name_buf + len - 5, ".idx");
index_name = index_name_buf;
diff --git a/quote.c b/quote.c
index 76eb144..00297b5 100644
--- a/quote.c
+++ b/quote.c
@@ -126,8 +126,10 @@ static int quote_c_style_counted(const c
if (!no_dq)
EMIT('"');
- for (sp = name; (ch = *sp++) && (sp - name) <= namelen; ) {
-
+ for (sp = name; sp < name + namelen; sp++) {
+ ch = *sp;
+ if (!ch)
+ break;
if ((ch < ' ') || (ch == '"') || (ch == '\\') ||
(ch == 0177)) {
needquote = 1;
--
Regards,
Pavel Roskin
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH] off-by-one bugs found by valgrind
2005-12-21 20:35 [PATCH] off-by-one bugs found by valgrind Pavel Roskin
@ 2005-12-21 20:59 ` Junio C Hamano
2005-12-21 21:17 ` H. Peter Anvin
2005-12-22 0:27 ` Horst von Brand
0 siblings, 2 replies; 5+ messages in thread
From: Junio C Hamano @ 2005-12-21 20:59 UTC (permalink / raw)
To: Pavel Roskin; +Cc: git
Pavel Roskin <proski@gnu.org> writes:
> Insufficient memory is allocated in index-pack.c to hold the *.idx name.
> One more byte should be allocated to hold the terminating 0.
Thanks.
> quote_c_style_counted() in quote.c uses a dangerous construct, when a
> variable is incremented once and used twice in the same expression.
Sorry, I do not follow you. Isn't && a sequence point?
> - for (sp = name; (ch = *sp++) && (sp - name) <= namelen; ) {
> -
> + for (sp = name; sp < name + namelen; sp++) {
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] off-by-one bugs found by valgrind
2005-12-21 20:59 ` Junio C Hamano
@ 2005-12-21 21:17 ` H. Peter Anvin
2005-12-21 21:47 ` Pavel Roskin
2005-12-22 0:27 ` Horst von Brand
1 sibling, 1 reply; 5+ messages in thread
From: H. Peter Anvin @ 2005-12-21 21:17 UTC (permalink / raw)
To: Junio C Hamano; +Cc: Pavel Roskin, git
Junio C Hamano wrote:
> Pavel Roskin <proski@gnu.org> writes:
>
>
>>Insufficient memory is allocated in index-pack.c to hold the *.idx name.
>>One more byte should be allocated to hold the terminating 0.
>
> Thanks.
>
>
>>quote_c_style_counted() in quote.c uses a dangerous construct, when a
>>variable is incremented once and used twice in the same expression.
>
> Sorry, I do not follow you. Isn't && a sequence point?
>
&& is a sequence point. The code is techically fine, but it's harder
than necessary to read.
-hpa
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] off-by-one bugs found by valgrind
2005-12-21 21:17 ` H. Peter Anvin
@ 2005-12-21 21:47 ` Pavel Roskin
0 siblings, 0 replies; 5+ messages in thread
From: Pavel Roskin @ 2005-12-21 21:47 UTC (permalink / raw)
To: H. Peter Anvin; +Cc: Junio C Hamano, git
On Wed, 2005-12-21 at 13:17 -0800, H. Peter Anvin wrote:
> >>quote_c_style_counted() in quote.c uses a dangerous construct, when a
> >>variable is incremented once and used twice in the same expression.
> >
> > Sorry, I do not follow you. Isn't && a sequence point?
The patch is right, but my comment was wrong, sorry.
The actual problem detected by valgrind is that sp is dereferenced
before it's checked for the upper boundary. So, if e.g. namelen is 6,
the code reads name[6] into ch and then leaves the loop.
> && is a sequence point. The code is techically fine, but it's harder
> than necessary to read.
That alone should be a good reason to apply this patch.
--
Regards,
Pavel Roskin
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] off-by-one bugs found by valgrind
2005-12-21 20:59 ` Junio C Hamano
2005-12-21 21:17 ` H. Peter Anvin
@ 2005-12-22 0:27 ` Horst von Brand
1 sibling, 0 replies; 5+ messages in thread
From: Horst von Brand @ 2005-12-22 0:27 UTC (permalink / raw)
To: Junio C Hamano; +Cc: Pavel Roskin, git
Junio C Hamano <junkio@cox.net> wrote:
> Pavel Roskin <proski@gnu.org> writes:
[...]
> > quote_c_style_counted() in quote.c uses a dangerous construct, when a
> > variable is incremented once and used twice in the same expression.
>
> Sorry, I do not follow you. Isn't && a sequence point?
>
> > - for (sp = name; (ch = *sp++) && (sp - name) <= namelen; ) {
> > -
> > + for (sp = name; sp < name + namelen; sp++) {
Yes, it is, so it doesn't fix any bugs; but Pavel's version is definitely
more readable.
--
Dr. Horst H. von Brand User #22616 counter.li.org
Departamento de Informatica Fono: +56 32 654431
Universidad Tecnica Federico Santa Maria +56 32 654239
Casilla 110-V, Valparaiso, Chile Fax: +56 32 797513
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2005-12-22 13:59 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-12-21 20:35 [PATCH] off-by-one bugs found by valgrind Pavel Roskin
2005-12-21 20:59 ` Junio C Hamano
2005-12-21 21:17 ` H. Peter Anvin
2005-12-21 21:47 ` Pavel Roskin
2005-12-22 0:27 ` Horst von Brand
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).