[Cscope-devel] [ cscope-Bugs-1473133 ] buffer overflow in invmake()

[SourceForge.net <no...@so...>]

Bugs item #1473133, was opened at 2006-04-19 13:51
Message generated for change (Comment added) made by nhorman
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=104664&aid=1473133&group_id=4664

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: inverted index handling
Group: None
Status: Open
Resolution: None
Priority: 5
Submitted By: Neil Horman (nhorman)
Assigned to: Neil Horman (nhorman)
Summary: buffer overflow in invmake()

Initial Comment:
cscope is faulting out on a buffer overflow during the
parsing of some inverted index construction with the
following backtrace:
==================================================
#0  0x00417402 in __kernel_vsyscall ()
(gdb) bt
#0  0x00417402 in __kernel_vsyscall ()
#1  0x00ccd159 in *__GI_raise (sig=6)
    at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#2  0x00cce6e3 in *__GI_abort () at abort.c:88
#3  0x00d01a1b in __libc_message (do_abort=2, 
    fmt=0xdbf444 "*** buffer overflow detected ***: %s
terminated\n")
    at ../sysdeps/unix/sysv/linux/libc_fatal.c:170
#4  0x00d80965 in *__GI___chk_fail () at chk_fail.c:31
#5  0x00d7ff07 in __strcpy_chk (
    dest=0x80a4c00
"a1234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789"...,

    src=0xbf9f8b90
"a1234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789"...,

    destlen=4294967295) at strcpy_chk.c:61
#6  0x08059d1f in invmake (invname=0x9ac5130
"ncscope.in.out", 
    invpost=0x9ac5148 "ncscope.po.out",
infile=0x9ab1fe0) at invlib.c:220
#7  0x0804f25d in build () at build.c:452
#8  0x0805b1b5 in main (argc=0, argv=0xbf9f97fc) at
main.c:560
#9  0x00cba7e4 in __libc_start_main (main=0x805a730
<main>, argc=3, 
    ubp_av=0xbf9f97f4, init=0x805cbb0 <__libc_csu_init>, 
    fini=0x805cba8 <__libc_csu_fini>,
rtld_fini=0x425e40 <_dl_fini>, 
    stack_end=0xbf9f97ec) at libc-start.c:231
#10 0x0804a031 in _start ()

=====================================================

This is due to the fact that the line array is larger
than the thisterm array in invmake(), and for
sufficiently long lines, the thisterm array can be
overrun easily in the strcpy operation in the same
function, leading to the above error.  The attached
patch corrects this issue.

----------------------------------------------------------------------

>Comment By: Neil Horman (nhorman)
Date: 2006-04-20 10:32

Message:
Logged In: YES 
user_id=827328

Ok, fair enough.  I'm attaching an updated version of the
patch.  Does that look more reasonable?

----------------------------------------------------------------------

Comment By: Hans-Bernhard Broeker (broeker)
Date: 2006-04-19 18:36

Message:
Logged In: YES 
user_id=27517

I'm afraid this patch isn't going to be sufficient.  If
thisterm[] contains only a cut-off version of line,
comparing it to other inputs, as in invlib.c:invmake():200,
could fail.  In other words, this change might break a
hardwired assumption of the invlib code.

It might be better to just do away with the LINEMAX macro
and use TERMMAX (512) in its place.  Yes, that would lower
the allowed line length in the postings text file by almost
a factor of two.  But if we can't store it anyway, what's
the point in trying to read longer input?



----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=104664&aid=1473133&group_id=4664