From: SourceForge.net <no...@so...> - 2006-04-20 14:32:14
|
Bugs item #1473133, was opened at 2006-04-19 13:51 Message generated for change (Comment added) made by nhorman You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=104664&aid=1473133&group_id=4664 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: inverted index handling Group: None Status: Open Resolution: None Priority: 5 Submitted By: Neil Horman (nhorman) Assigned to: Neil Horman (nhorman) Summary: buffer overflow in invmake() Initial Comment: cscope is faulting out on a buffer overflow during the parsing of some inverted index construction with the following backtrace: ================================================== #0 0x00417402 in __kernel_vsyscall () (gdb) bt #0 0x00417402 in __kernel_vsyscall () #1 0x00ccd159 in *__GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 #2 0x00cce6e3 in *__GI_abort () at abort.c:88 #3 0x00d01a1b in __libc_message (do_abort=2, fmt=0xdbf444 "*** buffer overflow detected ***: %s terminated\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:170 #4 0x00d80965 in *__GI___chk_fail () at chk_fail.c:31 #5 0x00d7ff07 in __strcpy_chk ( dest=0x80a4c00 "a1234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789"..., src=0xbf9f8b90 "a1234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789"..., destlen=4294967295) at strcpy_chk.c:61 #6 0x08059d1f in invmake (invname=0x9ac5130 "ncscope.in.out", invpost=0x9ac5148 "ncscope.po.out", infile=0x9ab1fe0) at invlib.c:220 #7 0x0804f25d in build () at build.c:452 #8 0x0805b1b5 in main (argc=0, argv=0xbf9f97fc) at main.c:560 #9 0x00cba7e4 in __libc_start_main (main=0x805a730 <main>, argc=3, ubp_av=0xbf9f97f4, init=0x805cbb0 <__libc_csu_init>, fini=0x805cba8 <__libc_csu_fini>, rtld_fini=0x425e40 <_dl_fini>, stack_end=0xbf9f97ec) at libc-start.c:231 #10 0x0804a031 in _start () ===================================================== This is due to the fact that the line array is larger than the thisterm array in invmake(), and for sufficiently long lines, the thisterm array can be overrun easily in the strcpy operation in the same function, leading to the above error. The attached patch corrects this issue. ---------------------------------------------------------------------- >Comment By: Neil Horman (nhorman) Date: 2006-04-20 10:32 Message: Logged In: YES user_id=827328 Ok, fair enough. I'm attaching an updated version of the patch. Does that look more reasonable? ---------------------------------------------------------------------- Comment By: Hans-Bernhard Broeker (broeker) Date: 2006-04-19 18:36 Message: Logged In: YES user_id=27517 I'm afraid this patch isn't going to be sufficient. If thisterm[] contains only a cut-off version of line, comparing it to other inputs, as in invlib.c:invmake():200, could fail. In other words, this change might break a hardwired assumption of the invlib code. It might be better to just do away with the LINEMAX macro and use TERMMAX (512) in its place. Yes, that would lower the allowed line length in the postings text file by almost a factor of two. But if we can't store it anyway, what's the point in trying to read longer input? ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=104664&aid=1473133&group_id=4664 |