From: SourceForge.net <no...@so...> - 2006-04-19 17:51:15
|
Bugs item #1473133, was opened at 2006-04-19 13:51 Message generated for change (Tracker Item Submitted) made by Item Submitter You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=104664&aid=1473133&group_id=4664 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: inverted index handling Group: None Status: Open Resolution: None Priority: 5 Submitted By: Neil Horman (nhorman) Assigned to: Nobody/Anonymous (nobody) Summary: cscope faults on buffer overflow Initial Comment: cscope is faulting out on a buffer overflow during the parsing of some inverted index construction with the following backtrace: ================================================== #0 0x00417402 in __kernel_vsyscall () (gdb) bt #0 0x00417402 in __kernel_vsyscall () #1 0x00ccd159 in *__GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 #2 0x00cce6e3 in *__GI_abort () at abort.c:88 #3 0x00d01a1b in __libc_message (do_abort=2, fmt=0xdbf444 "*** buffer overflow detected ***: %s terminated\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:170 #4 0x00d80965 in *__GI___chk_fail () at chk_fail.c:31 #5 0x00d7ff07 in __strcpy_chk ( dest=0x80a4c00 "a1234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789"..., src=0xbf9f8b90 "a1234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789"..., destlen=4294967295) at strcpy_chk.c:61 #6 0x08059d1f in invmake (invname=0x9ac5130 "ncscope.in.out", invpost=0x9ac5148 "ncscope.po.out", infile=0x9ab1fe0) at invlib.c:220 #7 0x0804f25d in build () at build.c:452 #8 0x0805b1b5 in main (argc=0, argv=0xbf9f97fc) at main.c:560 #9 0x00cba7e4 in __libc_start_main (main=0x805a730 <main>, argc=3, ubp_av=0xbf9f97f4, init=0x805cbb0 <__libc_csu_init>, fini=0x805cba8 <__libc_csu_fini>, rtld_fini=0x425e40 <_dl_fini>, stack_end=0xbf9f97ec) at libc-start.c:231 #10 0x0804a031 in _start () ===================================================== This is due to the fact that the line array is larger than the thisterm array in invmake(), and for sufficiently long lines, the thisterm array can be overrun easily in the strcpy operation in the same function, leading to the above error. The attached patch corrects this issue. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=104664&aid=1473133&group_id=4664 |