97 lines
3.4 KiB
Diff
97 lines
3.4 KiB
Diff
|
From 14141bb4a6ea528b4c0b9295aa64348f7a675735 Mon Sep 17 00:00:00 2001
|
||
|
From: Paul Floyd <pjfloyd@wanadoo.fr>
|
||
|
Date: Wed, 1 May 2024 09:24:14 +0200
|
||
|
Subject: [PATCH 03/11] Bug 486293 - memccpy false positives
|
||
|
|
||
|
(cherry picked from commit 805c020c6e5161966e6eb0099ebe937a510cea9e)
|
||
|
---
|
||
|
NEWS | 1 +
|
||
|
memcheck/tests/memccpy2.c | 20 ++++++++++++++++++++
|
||
|
memcheck/tests/memccpy2.stderr.exp | 4 ++--
|
||
|
shared/vg_replace_strmem.c | 4 ++--
|
||
|
4 files changed, 25 insertions(+), 4 deletions(-)
|
||
|
|
||
|
diff --git a/NEWS b/NEWS
|
||
|
index c40e00cce46b..f674191a286a 100644
|
||
|
--- a/NEWS
|
||
|
+++ b/NEWS
|
||
|
@@ -6,6 +6,7 @@ Branch 3.23
|
||
|
The following bugs have been fixed or resolved on this branch.
|
||
|
|
||
|
486180 [MIPS] 'VexGuestArchState' has no member named 'guest_IP_AT_SYSCALL'
|
||
|
+486293 memccpy false positives
|
||
|
|
||
|
To see details of a given bug, visit
|
||
|
https://bugs.kde.org/show_bug.cgi?id=XXXXXX
|
||
|
diff --git a/memcheck/tests/memccpy2.c b/memcheck/tests/memccpy2.c
|
||
|
index a5a1dfc9f0af..947324581715 100644
|
||
|
--- a/memcheck/tests/memccpy2.c
|
||
|
+++ b/memcheck/tests/memccpy2.c
|
||
|
@@ -1,6 +1,8 @@
|
||
|
#include <ctype.h>
|
||
|
#include <stdio.h>
|
||
|
#include <string.h>
|
||
|
+#include <assert.h>
|
||
|
+#include <stdlib.h>
|
||
|
|
||
|
int main(void)
|
||
|
{
|
||
|
@@ -9,5 +11,23 @@ int main(void)
|
||
|
memccpy(astring+10, astring, '#', len-10);
|
||
|
sprintf(astring, "this is a string # with something to seek");
|
||
|
memccpy(astring, astring+10, '#', len);
|
||
|
+
|
||
|
+ sprintf(astring, "this is a string # with something to seek");
|
||
|
+ /*
|
||
|
+ * space is earlier than len, no overlap
|
||
|
+ * "this " gets copied (up to and including the first ' ')
|
||
|
+ * and it overwrites the destination starting with the 's' of "string"
|
||
|
+ * so res will point to the 'g' of "string"
|
||
|
+ */
|
||
|
+ char* res = memccpy(astring+10, astring, ' ', len-10);
|
||
|
+ assert(res && *res == 'g');
|
||
|
+ sprintf(astring, "this is a string # with something to seek");
|
||
|
+ /* length is 0, nothing copied, returns NULL */
|
||
|
+ res = memccpy(astring, "abcdefhhijklmnopqrstuvwxy", 'z', 0);
|
||
|
+ assert(NULL == res);
|
||
|
+ /* 'z' not found so 20 bytes copied, returns NULL */
|
||
|
+ res = memccpy(astring, "abcdefhhijklmnopqrstuvwxy", 'z', 20);
|
||
|
+ assert(NULL == res);
|
||
|
+ free(astring);
|
||
|
}
|
||
|
|
||
|
diff --git a/memcheck/tests/memccpy2.stderr.exp b/memcheck/tests/memccpy2.stderr.exp
|
||
|
index 0132ef06c56a..240ce925c182 100644
|
||
|
--- a/memcheck/tests/memccpy2.stderr.exp
|
||
|
+++ b/memcheck/tests/memccpy2.stderr.exp
|
||
|
@@ -1,8 +1,8 @@
|
||
|
Source and destination overlap in memccpy(0x........, 0x........, 31)
|
||
|
at 0x........: memccpy (vg_replace_strmem.c:...)
|
||
|
- by 0x........: main (memccpy2.c:9)
|
||
|
+ by 0x........: main (memccpy2.c:11)
|
||
|
|
||
|
Source and destination overlap in memccpy(0x........, 0x........, 41)
|
||
|
at 0x........: memccpy (vg_replace_strmem.c:...)
|
||
|
- by 0x........: main (memccpy2.c:11)
|
||
|
+ by 0x........: main (memccpy2.c:13)
|
||
|
|
||
|
diff --git a/shared/vg_replace_strmem.c b/shared/vg_replace_strmem.c
|
||
|
index 737abbf67898..ae13a2a5f87a 100644
|
||
|
--- a/shared/vg_replace_strmem.c
|
||
|
+++ b/shared/vg_replace_strmem.c
|
||
|
@@ -2364,9 +2364,9 @@ static inline void my_exit ( int x )
|
||
|
\
|
||
|
while (i-- > 0) \
|
||
|
if ((*d++ = *s++) == x) { \
|
||
|
- SizeT srclen = (i < len) ? i : len; \
|
||
|
+ SizeT srclen = len - i; \
|
||
|
RECORD_COPY(srclen); \
|
||
|
- if (is_overlap(dst, src, srclen, srclen)) \
|
||
|
+ if (is_overlap(dst, src, len, srclen)) \
|
||
|
RECORD_OVERLAP_ERROR("memccpy", dst, src, len); \
|
||
|
return d; \
|
||
|
} \
|
||
|
--
|
||
|
2.45.2
|
||
|
|