[Bug other/27348] New: memcmp reads past end of strings

Fri, 28 Apr 2006 04:53:50 -0700 


If you use memcmp to compare strings, it does not stop reading when it
finds the terminating null byte of the shortest string, which can
trigger an attempt to read unallocated memory.  I'd recommend
replacing instances of memcmp on strings with strncmp, which won't
attempt to read past the end of the shortest string.

Environment:
System: Linux puffer.diveadx.com 2.6.16-1.2069_FC4smp #1 SMP Tue Mar 28
12:47:32 EST 2006 i686 i686 i386 GNU/Linux
Architecture: i686


host: i686-pc-linux-gnu
build: i686-pc-linux-gnu
target: i686-pc-linux-gnu
configured with: /src/latest/trunk/src/gcc/configure -v
--prefix=/opt/local/latest/trunk --enable-languages=c,c++
--cache-file=.././config.cache --srcdir=/src/latest/trunk/src/gcc

How-To-Repeat:

As an example, build gengtype with mudflap and run it.  It will
detect lots of reads by memcmp past the end of a string.


------- Comment #1 from fnf at specifix dot com  2006-04-28 11:53 -------
Fix:

Heres an example fix for gengtype.c

Index: gengtype.c
===================================================================
RCS file: /cvsroots/latest/src/gcc/gcc/gengtype.c,v
retrieving revision 1.1.1.4
diff -u -r1.1.1.4 gengtype.c
--- gengtype.c  15 Mar 2006 20:17:05 -0000      1.1.1.4
+++ gengtype.c  28 Apr 2006 10:48:11 -0000
@@ -1179,7 +1179,7 @@
       size_t i;
       for (i = 1; i < NUM_BASE_FILES; i++)
        if ((size_t)(slashpos - basename) == strlen (lang_dir_names [i])
-           && memcmp (basename, lang_dir_names[i], strlen (lang_dir_names[i]))
== 0)
+           && strncmp (basename, lang_dir_names[i], strlen
(lang_dir_names[i])) == 0)
           {
             /* It's in a language directory, set that language.  */
             bitmap = 1 << i;
@@ -1272,7 +1272,7 @@
       size_t i;

       for (i = 0; i < NUM_BASE_FILES; i++)
-       if (memcmp (basename, lang_dir_names[i], strlen (lang_dir_names[i])) ==
0
+       if (strncmp (basename, lang_dir_names[i], strlen (lang_dir_names[i]))
== 0
            && basename[strlen(lang_dir_names[i])] == '/')
          return base_files[i];


-- 
           Summary: memcmp reads past end of strings
           Product: gcc
           Version: 4.2.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: other
        AssignedTo: unassigned at gcc dot gnu dot org
        ReportedBy: fnf at specifix dot com
 GCC build triplet: i686-pc-linux-gnu
  GCC host triplet: i686-pc-linux-gnu
GCC target triplet: i686-pc-linux-gnu


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=27348

Reply via email to