[Cscope-devel] [ cscope-Bugs-1473133 ] cscope faults on buffer overflow

[SourceForge.net <no...@so...>]

Bugs item #1473133, was opened at 2006-04-19 13:51
Message generated for change (Tracker Item Submitted) made by Item Submitter
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=104664&aid=1473133&group_id=4664

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: inverted index handling
Group: None
Status: Open
Resolution: None
Priority: 5
Submitted By: Neil Horman (nhorman)
Assigned to: Nobody/Anonymous (nobody)
Summary: cscope faults on buffer overflow

Initial Comment:
cscope is faulting out on a buffer overflow during the
parsing of some inverted index construction with the
following backtrace:
==================================================
#0  0x00417402 in __kernel_vsyscall ()
(gdb) bt
#0  0x00417402 in __kernel_vsyscall ()
#1  0x00ccd159 in *__GI_raise (sig=6)
    at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#2  0x00cce6e3 in *__GI_abort () at abort.c:88
#3  0x00d01a1b in __libc_message (do_abort=2, 
    fmt=0xdbf444 "*** buffer overflow detected ***: %s
terminated\n")
    at ../sysdeps/unix/sysv/linux/libc_fatal.c:170
#4  0x00d80965 in *__GI___chk_fail () at chk_fail.c:31
#5  0x00d7ff07 in __strcpy_chk (
    dest=0x80a4c00
"a1234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789"...,

    src=0xbf9f8b90
"a1234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789"...,

    destlen=4294967295) at strcpy_chk.c:61
#6  0x08059d1f in invmake (invname=0x9ac5130
"ncscope.in.out", 
    invpost=0x9ac5148 "ncscope.po.out",
infile=0x9ab1fe0) at invlib.c:220
#7  0x0804f25d in build () at build.c:452
#8  0x0805b1b5 in main (argc=0, argv=0xbf9f97fc) at
main.c:560
#9  0x00cba7e4 in __libc_start_main (main=0x805a730
<main>, argc=3, 
    ubp_av=0xbf9f97f4, init=0x805cbb0 <__libc_csu_init>, 
    fini=0x805cba8 <__libc_csu_fini>,
rtld_fini=0x425e40 <_dl_fini>, 
    stack_end=0xbf9f97ec) at libc-start.c:231
#10 0x0804a031 in _start ()

=====================================================

This is due to the fact that the line array is larger
than the thisterm array in invmake(), and for
sufficiently long lines, the thisterm array can be
overrun easily in the strcpy operation in the same
function, leading to the above error.  The attached
patch corrects this issue.

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=104664&aid=1473133&group_id=4664