Bug#324908: gcc: Wrong code generation on amd64.
reassign 324908 filtergen 0.12.4-4
retitle 324908 filtergen: FTBFS on amd64: Segmenation fault: buffer overflow.
thanks
Hi,
Serge Belyshev looked into this closer, and it appears to be a
bug in filtergen after all, and it's a buffer overflow.
The problem:
#define MAXINCLUDES 16
struct inc_stack_s {
YY_BUFFER_STATE state;
char * filename;
long int lineno;
};
struct inc_stack_s inc_stack[MAXINCLUDES] = { { state: 0, filename: NULL, lineno: 1 } };
[...]
void step_into_include_file(const char * fn) {
FILE * f;
if (!(f = fopen(fn, "r"))) {
scan_err("warning: can't open file \"%s\"", fn);
} else {
inc_stack[inc_stackptr++].state = YY_CURRENT_BUFFER;
inc_stackptr can be MAXINCLUDES at this point overwriting
things it shouldn't.
I guess the easiest way to solve this is to make inc_stack
of size MAXINCLUDES + 1. And that also seems to be preventing
the crash.
There are a few other problems I've noticed looking shortly at
the package:
static void scan_err(const char * fmt, ...) {
va_list args;
va_start(args, fmt);
if (inc_stackptr >= 0)
fprintf(stderr, "%s:%ld: ", filename(), lineno());
vfprintf(stderr, fmt, args);
fprintf(stderr, "\n");
}
It's missing a va_stop(args);
And the same goes for oprintf() in filtergen.c
char * filename(void) {
return inc_stack[inc_stackptr].filename ?: strdup("(standard input)");
}
Why the strdup()? You can perfectly return a static string
there. It's also not getting free()'d anywhere. Also, the "?:"
you're is a gcc extention and you might want to avoid that.
PS: Note that scanner.c is generated from scanner.l, so please
update both of them if you fix it.
Kurt
Reply to: