bug#28120: [PATCH] ptx: fix a possible crash caused by integer overflow

bug-coreutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#28120: [PATCH] ptx: fix a possible crash caused by integer overflow

From:	Kamil Dudka
Subject:	bug#28120: [PATCH] ptx: fix a possible crash caused by integer overflow
Date:	Fri, 18 Aug 2017 10:17:08 +0200
User-agent:	KMail/4.14.10 (Linux/4.12.5-gentoo; KDE/4.14.32; x86_64; ; )

On Thursday, August 17, 2017 12:14:05 Paul Eggert wrote:
> On 08/17/2017 04:40 AM, Kamil Dudka wrote:
> > -typedef short int DELTA;   /* to hold displacement within one context */
> > +typedef int DELTA;         /* to hold displacement within one context */
> 
> Thanks for the heads-up. Although that fixes things for that particular
> test case, it won't work for larger cases.

Do you have an example of the larger case?  We could add a test-case for it.

> The type should be ptrdiff_t instead of int.
> 
> As its FIXME comment says, ptx is riddled with integer-overflow bugs. I
> installed the attached patch to fix the bug that you mentioned along
> with the other low-hanging fruit that I found, and am marking the bug as
> fixed upstream. I expect some other integer-overflow bugs can still
> occur in practice, but at least this patch is a significant improvement.
> 
> This patch prefers signed integer types like ptrdiff_t to unsigned types
> like size_t, as signed types allow for better checking when compiled
> with sanitization.

Your patch introduces the following warnings:

Error: CONSTANT_EXPRESSION_RESULT:
src/ptx.c:1939: result_independent_of_operands: "tmp <= 9223372036854775807L" 
is always true regardless of the values of its operands. This occurs as the 
logical second operand of "&&".
# 1937|               intmax_t tmp;
# 1938|               if (! (xstrtoimax (optarg, NULL, 0, &tmp, NULL) == 
LONGINT_OK
# 1939|->                    && 0 < tmp && tmp <= PTRDIFF_MAX))
# 1940|                 die (EXIT_FAILURE, 0, _("invalid gap width: %s"),
# 1941|                      quote (optarg));

Error: CONSTANT_EXPRESSION_RESULT:
src/ptx.c:1966: result_independent_of_operands: "tmp <= 9223372036854775807L" 
is always true regardless of the values of its operands. This occurs as the 
logical second operand of "&&".
# 1964|               intmax_t tmp;
# 1965|               if (! (xstrtoimax (optarg, NULL, 0, &tmp, NULL) == 
LONGINT_OK
# 1966|->                    && 0 < tmp && tmp <= PTRDIFF_MAX))
# 1967|                 die (EXIT_FAILURE, 0, _("invalid line width: %s"),
# 1968|                      quote (optarg));

Anyway, it fixes the original bug so I am fine with the patch as it is.

Thank you for pushing the fix!

Kamil

[Prev in Thread]

Current Thread

[Next in Thread]

bug#28120: [PATCH] ptx: fix a possible crash caused by integer overflow, Kamil Dudka, 2017/08/17
- bug#28120: [PATCH] ptx: fix a possible crash caused by integer overflow, Paul Eggert, 2017/08/17
  - bug#28120: [PATCH] ptx: fix a possible crash caused by integer overflow, Kamil Dudka <=
    - bug#28120: [PATCH] ptx: fix a possible crash caused by integer overflow, Paul Eggert, 2017/08/18

Prev by Date: bug#28054: coreutils 8.27 test failure on x86_64-foxkit-linux-musl
Next by Date: bug#28120: [PATCH] ptx: fix a possible crash caused by integer overflow
Previous by thread: bug#28120: [PATCH] ptx: fix a possible crash caused by integer overflow
Next by thread: bug#28120: [PATCH] ptx: fix a possible crash caused by integer overflow
Index(es):
- Date
- Thread