|
From: | Eric Blake |
Subject: | Re: Static analyzer "smatch" found potential bug in format.c |
Date: | Sat, 28 Aug 2010 16:11:08 -0600 |
User-agent: | Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.8) Gecko/20100806 Fedora/3.1.2-1.fc13 Mnenhy/0.8.3 Thunderbird/3.1.2 |
On 08/27/2010 04:57 PM, Carlo Teubner wrote:
Just for fun, I ran smatch (http://smatch.sourceforge.net/) on the m4 code. The only legitimate issue it found is fixed by this patch: diff --git a/modules/format.c b/modules/format.c index b772290..2787154 100644 --- a/modules/format.c +++ b/modules/format.c @@ -333,7 +333,7 @@ format (m4 *context, m4_obstack *obs, int argc, m4_macro_args *argv) } c = *fmt; - if (c> sizeof ok || !ok[c] || !f_len) + if (c>= sizeof ok || !ok[c] || !f_len)
Thanks for the report. Indeed, this was making a branching decision based on out-of-bounds memory if you pass "%\x80" through the format builtin. And on my Fedora machine, this minimal test exposes the problem:
$ echo 'format(%format(%c,128))' | m4m4: internal error detected; please report this bug to <address@hidden>: Aborted
I'll be applying your patch, plus a testsuite addition, shortly, then working on releasing 1.4.15.
-- Eric Blake address@hidden +1-801-349-2682 Libvirt virtualization library http://libvirt.org
[Prev in Thread] | Current Thread | [Next in Thread] |