stdcxx-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Travis Vitek (JIRA)" <>
Subject [jira] Commented: (STDCXX-857) unexpected assertion from _rw_bufcat
Date Sat, 12 Apr 2008 01:33:04 GMT


Travis Vitek commented on STDCXX-857:

Internally the {{rw_asnprintf()}} routine will reallocate the destination buffer with a call
to {{_rw_bufcat()}}. After the reallocation happens, we check some guard bytes to verify the
buffer was not overflowed, and then we free it. There are two problems. First off, we don't
ever write the guard bytes to the end of the input buffers provided by the user. This results
in an unexpected assert. The second problem is that we don't track who owns the buffer, so
we will end up calling {{free()}} on a pointer to stack data.

My suggested fix is to add a flag to the Buffer struct in fmt_defs.h that indicates who owns
the buffer. If, in {{_rw_bufcat()}}, we see that don't own the buffer, then we don't do bounds
checking on it [because we have no idea what the contents were], and we won't attempt to free
it. That seems pretty easy to handle. This simple fix does have one big drawback It may allow
stack corruption because we aren't checking the buffer guard bytes after the first reallocation.
The current code doesn't really do it, so it isn't really much of a loss, but it is something
that I should mention.

> unexpected assertion from _rw_bufcat
> ------------------------------------
>                 Key: STDCXX-857
>                 URL:
>             Project: C++ Standard Library
>          Issue Type: Bug
>          Components: Test Driver
>    Affects Versions: 4.2.1
>            Reporter: Travis Vitek
>            Assignee: Travis Vitek
>             Fix For: 4.2.1
>   Original Estimate: 2h
>  Remaining Estimate: 2h
> Here is a testcase.
> {noformat}
> #include <rw_printf.h>
> #include <string.h>
> #include <stdlib.h>
> int main (int argc, char* argv[])
> {
>     const char* s = 1 < argc ? argv [1] : "bug-zapper";
>     char buffer [4];
>     char *buf = buffer;
>     size_t bufsize = sizeof buffer;
>     rw_asnprintf (&buf, &bufsize, "%s", s);
>     if (buf != buffer)
>         free (buf);
>     return 0;
> }
> {noformat}

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message