bug-gnustep
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug #35699] NSStrings can point into garbage memory (misuse of app-supp


From: Jens Alfke
Subject: [bug #35699] NSStrings can point into garbage memory (misuse of app-supplied backing buffer)
Date: Fri, 02 Mar 2012 18:21:40 +0000
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/535.22 (KHTML, like Gecko) Chrome/19.0.1049.3 Safari/535.22

URL:
  <http://savannah.gnu.org/bugs/?35699>

                 Summary: NSStrings can point into garbage memory (misuse of
app-supplied backing buffer)
                 Project: GNUstep
            Submitted by: snej
            Submitted on: Fri 02 Mar 2012 06:21:39 PM GMT
                Category: Base/Foundation
                Severity: 3 - Normal
              Item Group: Bug
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any

    _______________________________________________________

Details:

NSString is insufficiently careful in its use of externally-provided buffers
(i.e. passed to -initWithBytesNoCopy:).  Substrings created from such a string
apparently point into the same temporary buffer, even after the original
string is released, meaning that their contents become garbage as soon as the
buffer contents become invalid.

In the test case below, the contents of the NSString 'substr' change if the
temporary buffer is modified, even after the original string created from that
buffer is released. This is of course likely to lead to very nasty side
effects later on.

I don't know the details of Apple's NSString implementation, but my
understanding is that the -substringWithRange: method should not allow the
string it returns to share a buffer with the original string, when the
original string uses ephemeral user-supplied memory.

TEST CASE

void test(void)
{
    char buffer[] = "I HAZ A BUFFER";
    NSString* str = [[NSString alloc] initWithBytesNoCopy: buffer
                                                   length: strlen(buffer)
                                                 encoding:
NSUTF8StringEncoding
                                             freeWhenDone: NO];
    NSString* substr = [str substringWithRange: NSMakeRange(2, 3)];
    NSLog(@"substr = '%@'", substr);
    NSAssert([substr isEqualToString: @"HAZ"], @"bad substr");
    [str release];  // after this point nothing should be using the contents
of buffer[]!
    memset(buffer, '*', sizeof(buffer));
    NSLog(@"substr = '%@'", substr);
    NSAssert([substr isEqualToString: @"HAZ"], @"bad substr");
}




    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/bugs/?35699>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/




reply via email to

[Prev in Thread] Current Thread [Next in Thread]