subversion-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From i...@apache.org
Subject svn commit: r1738659 - /subversion/trunk/subversion/libsvn_subr/win32_crashrpt.c
Date Mon, 11 Apr 2016 22:48:30 GMT
Author: ivan
Date: Mon Apr 11 22:48:29 2016
New Revision: 1738659

URL: http://svn.apache.org/viewvc?rev=1738659&view=rev
Log:
Fix buffer overflow in the Win32 crash report handling.

* subversion/libsvn_subr/win32_crashrpt.c
  (format_basic_type): Rename to ...
  (write_basic_type): ... here. And write directly to LOG_FILE instead of
   temporary buffer.
  (format_value): Rename to ...
  (write_value): ... here. And write directly to LOG_FILE instead of temporary
   buffer.
  (write_var_values): Remove local variable VALUE_STR. Use write_value()
   instead of format_value().

Modified:
    subversion/trunk/subversion/libsvn_subr/win32_crashrpt.c

Modified: subversion/trunk/subversion/libsvn_subr/win32_crashrpt.c
URL: http://svn.apache.org/viewvc/subversion/trunk/subversion/libsvn_subr/win32_crashrpt.c?rev=1738659&r1=1738658&r2=1738659&view=diff
==============================================================================
--- subversion/trunk/subversion/libsvn_subr/win32_crashrpt.c (original)
+++ subversion/trunk/subversion/libsvn_subr/win32_crashrpt.c Mon Apr 11 22:48:29 2016
@@ -261,18 +261,19 @@ write_process_info(EXCEPTION_RECORD *exc
 #endif
 }
 
-/* Formats the value at address based on the specified basic type
- * (char, int, long ...). */
+/* Writes the value at address based on the specified basic type
+ * (char, int, long ...) to LOG_FILE. */
 static void
-format_basic_type(char *buf, DWORD basic_type, DWORD64 length, void *address)
+write_basic_type(FILE *log_file, DWORD basic_type, DWORD64 length,
+                 void *address)
 {
   switch(length)
     {
       case 1:
-        sprintf(buf, "0x%02x", (int)*(unsigned char *)address);
+        fprintf(log_file, "0x%02x", (int)*(unsigned char *)address);
         break;
       case 2:
-        sprintf(buf, "0x%04x", (int)*(unsigned short *)address);
+        fprintf(log_file, "0x%04x", (int)*(unsigned short *)address);
         break;
       case 4:
         switch(basic_type)
@@ -280,38 +281,38 @@ format_basic_type(char *buf, DWORD basic
             case 2:  /* btChar */
               {
                 if (!IsBadStringPtr(*(PSTR*)address, 32))
-                  sprintf(buf, "\"%.31s\"", *(const char **)address);
+                  fprintf(log_file, "\"%.31s\"", *(const char **)address);
                 else
-                  sprintf(buf, FORMAT_PTR, *(DWORD_PTR *)address);
+                  fprintf(log_file, FORMAT_PTR, *(DWORD_PTR *)address);
               }
             case 6:  /* btInt */
-              sprintf(buf, "%d", *(int *)address);
+              fprintf(log_file, "%d", *(int *)address);
               break;
             case 8:  /* btFloat */
-              sprintf(buf, "%f", *(float *)address);
+              fprintf(log_file, "%f", *(float *)address);
               break;
             default:
-              sprintf(buf, FORMAT_PTR, *(DWORD_PTR *)address);
+              fprintf(log_file, FORMAT_PTR, *(DWORD_PTR *)address);
               break;
           }
         break;
       case 8:
         if (basic_type == 8) /* btFloat */
-          sprintf(buf, "%lf", *(double *)address);
+          fprintf(log_file, "%lf", *(double *)address);
         else
-          sprintf(buf, "0x%016I64X", *(unsigned __int64 *)address);
+          fprintf(log_file, "0x%016I64X", *(unsigned __int64 *)address);
         break;
       default:
-        sprintf(buf, "[unhandled type 0x%08x of length " FORMAT_PTR "]",
-                     basic_type, (INT_PTR)length);
+        fprintf(log_file, "[unhandled type 0x%08x of length " FORMAT_PTR "]",
+                basic_type, (INT_PTR)length);
         break;
     }
 }
 
-/* Formats the value at address based on the type (pointer, user defined,
- * basic type). */
+/* Writes the value at address based on the type (pointer, user defined,
+ * basic type) to LOG_FILE. */
 static void
-format_value(char *value_str, DWORD64 mod_base, DWORD type, void *value_addr)
+write_value(FILE *log_file, DWORD64 mod_base, DWORD type, void *value_addr)
 {
   DWORD tag = 0;
   int ptr = 0;
@@ -341,19 +342,19 @@ format_value(char *value_str, DWORD64 mo
               LocalFree(type_name_wbcs);
 
               if (ptr == 0)
-                sprintf(value_str, "(%s) " FORMAT_PTR,
+                fprintf(log_file, "(%s) " FORMAT_PTR,
                         type_name, (INT_PTR)(DWORD_PTR *)value_addr);
               else if (ptr == 1)
-                sprintf(value_str, "(%s *) " FORMAT_PTR,
+                fprintf(log_file, "(%s *) " FORMAT_PTR,
                         type_name, *(DWORD_PTR *)value_addr);
               else
-                sprintf(value_str, "(%s **) " FORMAT_PTR,
+                fprintf(log_file, "(%s **) " FORMAT_PTR,
                         type_name, *(DWORD_PTR *)value_addr);
 
               free(type_name);
             }
           else
-            sprintf(value_str, "[no symbol tag]");
+            fprintf(log_file, "[no symbol tag]");
         }
         break;
       case 16: /* SymTagBaseType */
@@ -365,27 +366,27 @@ format_value(char *value_str, DWORD64 mo
           /* print a char * as a string */
           if (ptr == 1 && length == 1)
             {
-              sprintf(value_str, FORMAT_PTR " \"%s\"",
+              fprintf(log_file, FORMAT_PTR " \"%s\"",
                       *(DWORD_PTR *)value_addr, *(const char **)value_addr);
             }
           else if (ptr >= 1)
             {
-              sprintf(value_str, FORMAT_PTR, *(DWORD_PTR *)value_addr);
+              fprintf(log_file, FORMAT_PTR, *(DWORD_PTR *)value_addr);
             }
           else if (SymGetTypeInfo_(proc, mod_base, type, TI_GET_BASETYPE, &bt))
             {
-              format_basic_type(value_str, bt, length, value_addr);
+              write_basic_type(log_file, bt, length, value_addr);
             }
         }
         break;
       case 12: /* SymTagEnum */
-          sprintf(value_str, "%d", *(DWORD_PTR *)value_addr);
+          fprintf(log_file, "%d", *(DWORD_PTR *)value_addr);
           break;
       case 13: /* SymTagFunctionType */
-          sprintf(value_str, FORMAT_PTR, *(DWORD_PTR *)value_addr);
+          fprintf(log_file, FORMAT_PTR, *(DWORD_PTR *)value_addr);
           break;
       default:
-          sprintf(value_str, "[unhandled tag: %d]", tag);
+          fprintf(log_file, "[unhandled tag: %d]", tag);
           break;
     }
 }
@@ -409,7 +410,6 @@ write_var_values(PSYMBOL_INFO sym_info,
   FILE *log_file   = ((symbols_baton_t*)baton)->log_file;
   int nr_of_frame = ((symbols_baton_t*)baton)->nr_of_frame;
   BOOL log_params = ((symbols_baton_t*)baton)->log_params;
-  char value_str[256] = "";
 
   /* get the variable's data */
   if (sym_info->Flags & SYMFLAG_REGREL)
@@ -427,17 +427,17 @@ write_var_values(PSYMBOL_INFO sym_info,
       else
         last_nr_of_frame = nr_of_frame;
 
-      format_value(value_str, sym_info->ModBase, sym_info->TypeIndex,
-                   (void *)var_data);
-      fprintf(log_file, "%.*s=%s", (int)sym_info->NameLen, sym_info->Name,
-              value_str);
+      fprintf(log_file, "%.*s=", (int)sym_info->NameLen, sym_info->Name);
+      write_value(log_file, sym_info->ModBase, sym_info->TypeIndex,
+                  (void *)var_data);
     }
   if (!log_params && sym_info->Flags & SYMFLAG_LOCAL)
     {
-      format_value(value_str, sym_info->ModBase, sym_info->TypeIndex,
-                   (void *)var_data);
-      fprintf(log_file, "        %.*s = %s\n", (int)sym_info->NameLen,
-              sym_info->Name, value_str);
+      fprintf(log_file, "        %.*s = ", (int)sym_info->NameLen,
+              sym_info->Name);
+      write_value(log_file, sym_info->ModBase, sym_info->TypeIndex,
+                  (void *)var_data);
+      fprintf(log_file, "\n");
     }
 
   return TRUE;



Mime
View raw message