From stdcxx-dev-return-1712-apmail-incubator-stdcxx-dev-archive=incubator.apache.org@incubator.apache.org Sun Jul 09 21:25:39 2006 Return-Path: Delivered-To: apmail-incubator-stdcxx-dev-archive@www.apache.org Received: (qmail 20648 invoked from network); 9 Jul 2006 21:25:39 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 9 Jul 2006 21:25:39 -0000 Received: (qmail 93558 invoked by uid 500); 9 Jul 2006 21:25:38 -0000 Delivered-To: apmail-incubator-stdcxx-dev-archive@incubator.apache.org Received: (qmail 93546 invoked by uid 500); 9 Jul 2006 21:25:38 -0000 Mailing-List: contact stdcxx-dev-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: stdcxx-dev@incubator.apache.org Delivered-To: mailing list stdcxx-dev@incubator.apache.org Received: (qmail 93535 invoked by uid 99); 9 Jul 2006 21:25:38 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 09 Jul 2006 14:25:38 -0700 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received-SPF: neutral (asf.osuosl.org: local policy) Received: from [208.30.140.160] (HELO moroha.quovadx.com) (208.30.140.160) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 09 Jul 2006 14:25:31 -0700 Received: from qxvcexch01.ad.quovadx.com (qxvcexch01.ad.quovadx.com [192.168.170.59]) by moroha.quovadx.com (8.13.6/8.13.4) with ESMTP id k69LJgYV013880 for ; Sun, 9 Jul 2006 21:19:42 GMT Received: from [10.70.3.113] ([10.70.3.113]) by qxvcexch01.ad.quovadx.com with Microsoft SMTPSVC(6.0.3790.1830); Sun, 9 Jul 2006 15:20:21 -0600 Message-ID: <44B172FD.7040304@roguewave.com> Date: Sun, 09 Jul 2006 15:19:57 -0600 From: Martin Sebor Organization: Rogue Wave Software User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050920 X-Accept-Language: en-us, en MIME-Version: 1.0 To: stdcxx-dev@incubator.apache.org Subject: Re: rw_match can address to memory after end of string buffer References: <44AA955C.9050208@kyiv.vdiweb.com> <44AAF47E.5040703@roguewave.com> In-Reply-To: <44AAF47E.5040703@roguewave.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 09 Jul 2006 21:20:21.0488 (UTC) FILETIME=[7C28CF00:01C6A39D] X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N Martin Sebor wrote: > Farid Zaripov wrote: > >> I found that the rw_match function can address to the memory after >> the end of the string buffer. >> >> It calls __rw_get_char to get the last character and this function >> reads a character after the end of the string buffer: >> >> char.cpp line 534: >> if ('<' == char (ch) && 'U' == src [0] && isxdigit (src [1])) { >> >> char.cpp line 548: >> if ('@' == src [0] && isdigit (src [1])) { >> >> src [0] - is the place of the fail. > > > Hmm, that does look like a subtle bug in rw_match(). Let me look > into how best to fix it. Here's a simple test case demonstrating the bug. The value returned from rw_match() for two NUL-terminated sequences that are the same should be the offset of the NUL character plus 1 (i.e., strlen(s0) + 1). $ cat v.cpp && make v && ./v #include #include #include int main () { const char s0[] = "a\0@2"; const char s1[] = "a\0@3"; unsigned i = rw_match (s0, s1); rw_printf ("%u\n", i); assert (i == 2); } gcc -c -I/build/sebor/dev/stdlib/include/ansi -D_RWSTDDEBUG -pthreads -D_RWSTD_USE_CONFIG -I/build/sebor/dev/stdlib/include -I/build/sebor/gcc-4.1.0-15s/include -I/build/sebor/dev/stdlib/../rwtest -I/build/sebor/dev/stdlib/../rwtest/include -I/build/sebor/dev/stdlib/tests/include -pedantic -nostdinc++ -g -W -Wall -Wcast-qual -Winline -Wshadow -Wwrite-strings -Wno-long-long v.cpp gcc v.o -o v -L/build/sebor/gcc-4.1.0-15s/rwtest -lrwtest15s -pthreads -L/build/sebor/gcc-4.1.0-15s/lib -lstd15s -lsupc++ -lm 3 Assertion failed: i == 2, file v.cpp, line 14 Abort (core dumped)