valgrind/0003-Bug-486293-memccpy-false-positives.patch

97 lines
3.4 KiB
Diff
Raw Normal View History

From 14141bb4a6ea528b4c0b9295aa64348f7a675735 Mon Sep 17 00:00:00 2001
From: Paul Floyd <pjfloyd@wanadoo.fr>
Date: Wed, 1 May 2024 09:24:14 +0200
Subject: [PATCH 03/11] Bug 486293 - memccpy false positives
(cherry picked from commit 805c020c6e5161966e6eb0099ebe937a510cea9e)
---
NEWS | 1 +
memcheck/tests/memccpy2.c | 20 ++++++++++++++++++++
memcheck/tests/memccpy2.stderr.exp | 4 ++--
shared/vg_replace_strmem.c | 4 ++--
4 files changed, 25 insertions(+), 4 deletions(-)
diff --git a/NEWS b/NEWS
index c40e00cce46b..f674191a286a 100644
--- a/NEWS
+++ b/NEWS
@@ -6,6 +6,7 @@ Branch 3.23
The following bugs have been fixed or resolved on this branch.
486180 [MIPS] 'VexGuestArchState' has no member named 'guest_IP_AT_SYSCALL'
+486293 memccpy false positives
To see details of a given bug, visit
https://bugs.kde.org/show_bug.cgi?id=XXXXXX
diff --git a/memcheck/tests/memccpy2.c b/memcheck/tests/memccpy2.c
index a5a1dfc9f0af..947324581715 100644
--- a/memcheck/tests/memccpy2.c
+++ b/memcheck/tests/memccpy2.c
@@ -1,6 +1,8 @@
#include <ctype.h>
#include <stdio.h>
#include <string.h>
+#include <assert.h>
+#include <stdlib.h>
int main(void)
{
@@ -9,5 +11,23 @@ int main(void)
memccpy(astring+10, astring, '#', len-10);
sprintf(astring, "this is a string # with something to seek");
memccpy(astring, astring+10, '#', len);
+
+ sprintf(astring, "this is a string # with something to seek");
+ /*
+ * space is earlier than len, no overlap
+ * "this " gets copied (up to and including the first ' ')
+ * and it overwrites the destination starting with the 's' of "string"
+ * so res will point to the 'g' of "string"
+ */
+ char* res = memccpy(astring+10, astring, ' ', len-10);
+ assert(res && *res == 'g');
+ sprintf(astring, "this is a string # with something to seek");
+ /* length is 0, nothing copied, returns NULL */
+ res = memccpy(astring, "abcdefhhijklmnopqrstuvwxy", 'z', 0);
+ assert(NULL == res);
+ /* 'z' not found so 20 bytes copied, returns NULL */
+ res = memccpy(astring, "abcdefhhijklmnopqrstuvwxy", 'z', 20);
+ assert(NULL == res);
+ free(astring);
}
diff --git a/memcheck/tests/memccpy2.stderr.exp b/memcheck/tests/memccpy2.stderr.exp
index 0132ef06c56a..240ce925c182 100644
--- a/memcheck/tests/memccpy2.stderr.exp
+++ b/memcheck/tests/memccpy2.stderr.exp
@@ -1,8 +1,8 @@
Source and destination overlap in memccpy(0x........, 0x........, 31)
at 0x........: memccpy (vg_replace_strmem.c:...)
- by 0x........: main (memccpy2.c:9)
+ by 0x........: main (memccpy2.c:11)
Source and destination overlap in memccpy(0x........, 0x........, 41)
at 0x........: memccpy (vg_replace_strmem.c:...)
- by 0x........: main (memccpy2.c:11)
+ by 0x........: main (memccpy2.c:13)
diff --git a/shared/vg_replace_strmem.c b/shared/vg_replace_strmem.c
index 737abbf67898..ae13a2a5f87a 100644
--- a/shared/vg_replace_strmem.c
+++ b/shared/vg_replace_strmem.c
@@ -2364,9 +2364,9 @@ static inline void my_exit ( int x )
\
while (i-- > 0) \
if ((*d++ = *s++) == x) { \
- SizeT srclen = (i < len) ? i : len; \
+ SizeT srclen = len - i; \
RECORD_COPY(srclen); \
- if (is_overlap(dst, src, srclen, srclen)) \
+ if (is_overlap(dst, src, len, srclen)) \
RECORD_OVERLAP_ERROR("memccpy", dst, src, len); \
return d; \
} \
--
2.45.2