Re: [Doxygen-develop] Memory underrun in util.cpp:5584

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

On Fri, Oct 21, 2005 at 03:54:21PM +0100, Michael McTernan wrote:
> Hi there,
> 
> I took the doxygen-1.4.4-20050815.tar.gz CVS tarball and ran it under
> valgrind.  I found a byte being accessed before the start of a buffer:
> 
>   // search for trailing empty lines
>   int b=l-1,bi=-1;
>   p=s.data()+b;
>   while (b>=0)
>   {
>     c=*--p;  <------ Can read before s.data
>     if (c==' ' || c=='\t' || c=='\r') b--;
>     else if (c=='\n') bi=b,b--;
>     else break;
>   }
> 
> I think the problem is that --p occurs before the dereference, and so the
> code would be better written as:
> 
>   while (b>=0)
>   {
>     c=*p; 
>     p--;
>     if (c==' ' || c=='\t' || c=='\r') b--;
> 
> This avoids p[-1] being accessed if something like "\n" is in the buffer.
> 
> I've not put it into Bugzilla, but let me know if you would prefer it filed
> there instead.

If you look at version 1.4.5 or later, you'll see the code had been 
changed to:

------------------------------------------------------
  // search for trailing empty lines
  int b=l-1,bi=-1;
  p=s.data()+b;
  while (b>=0)
  {
    c=*p; p--;
    if (c==' ' || c=='\t' || c=='\r') b--;
    else if (c=='\n') bi=b,b--;
    else break;
  } 
------------------------------------------------------

so that's exactly what you are proposing ;-)

Regards,
  Dimitri