Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 244067 Details for
Bug 317695
media-libs/libsndfile-1.0.21 buffer overflow w/ GCC 4.5 and -DFORTIFY_SOURCE=2
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
Test program around strncpy_crlf to demonstrate that chosen inputs can cause it to overrun the output buffer
strncpy_crlf_tst.c (text/plain), 1.44 KB, created by
Kevin Pyle
on 2010-08-22 18:06:09 UTC
(
hide
)
Description:
Test program around strncpy_crlf to demonstrate that chosen inputs can cause it to overrun the output buffer
Filename:
MIME Type:
Creator:
Kevin Pyle
Created:
2010-08-22 18:06:09 UTC
Size:
1.44 KB
patch
obsolete
>/* > * Compile with: > >gcc -Wall -Wextra -O2 -g2 -ggdb strncpy_crlf_tst.c -o strncpytst > > */ >#include <stdlib.h> >#include <string.h> >#include <assert.h> > >static void >strncpy_crlf (char *dest, const char *src, size_t destmax, size_t srcmax) >{ char * destend = dest + destmax - 1 ; > const char * srcend = src + srcmax ; > > while (dest < destend && src < srcend) > { if ((src [0] == '\r' && src [1] == '\n') || (src [0] == '\n' && src [1] == '\r')) > { *dest++ = '\r' ; > *dest++ = '\n' ; > src += 2 ; > continue ; > } ; > > if (src [0] == '\r') > { *dest++ = '\r' ; > *dest++ = '\n' ; > src += 1 ; > continue ; > } ; > > if (src [0] == '\n') > { *dest++ = '\r' ; > *dest++ = '\n' ; > src += 1 ; > continue ; > } ; > > *dest++ = *src++ ; > } ; > > /* Make sure dest is terminated. */ > *dest = 0 ; >} /* strncpy_crlf */ > >union u >{ > char buf[16]; > char ebuf[20]; >}; > >struct a >{ > char buf[16]; >}; > >int main() >{ > union u x; > memset(&x.ebuf, 1, sizeof(x.ebuf)); > assert(x.ebuf[0] == 1); > assert(x.ebuf[sizeof(x.buf)] == 1); > static const char nl[] = "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n"; > /* > * Overrun the declared bounds of x.buf, demonstrated via an assert > * a few lines later. > */ > strncpy_crlf(x.buf, nl, sizeof(x.buf), sizeof(nl)); > /* > * Overrun a stack buffer by one byte, demonstrated via Valgrind > * memcheck. > */ > struct a *y = malloc(sizeof(struct a)); > strncpy_crlf(y->buf, nl, sizeof(y->buf), sizeof(nl)); > assert(x.ebuf[sizeof(x.buf)] == 1); > free(y); > return 0; >}
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 317695
:
243659
| 244067