From patchwork Tue Mar  8 12:59:02 2011
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jim Meyering <jim@meyering.net>
X-Patchwork-Id: 85973
Return-Path: 
 <gcc-patches-return-286458-incoming=patchwork.ozlabs.org@gcc.gnu.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from sourceware.org (server1.sourceware.org [209.132.180.131])
	by ozlabs.org (Postfix) with SMTP id DF6B7B6EEA
	for <incoming@patchwork.ozlabs.org>;
	Tue,  8 Mar 2011 23:59:12 +1100 (EST)
Received: (qmail 24131 invoked by alias); 8 Mar 2011 12:59:10 -0000
Received: (qmail 24123 invoked by uid 22791); 8 Mar 2011 12:59:09 -0000
X-SWARE-Spam-Status: No, hits=-1.8 required=5.0	tests=AWL, BAYES_00, TW_CP,
	T_RP_MATCHES_RCVD
X-Spam-Check-By: sourceware.org
Received: from mx.meyering.net (HELO mx.meyering.net) (82.230.74.64) by
	sourceware.org (qpsmtpd/0.43rc1) with ESMTP;
	Tue, 08 Mar 2011 12:59:05 +0000
Received: by rho.meyering.net (Acme Bit-Twister, from userid 1000)	id
	E630860294; Tue,  8 Mar 2011 13:59:02 +0100 (CET)
From: Jim Meyering <jim@meyering.net>
To: gcc-patches@gcc.gnu.org
Subject: [PATCH] avoid memory overrun in a test leading to potential
	double-free
Date: Tue, 08 Mar 2011 13:59:02 +0100
Message-ID: <87aah5rco9.fsf@rho.meyering.net>
Lines: 64
MIME-Version: 1.0
Mailing-List: contact gcc-patches-help@gcc.gnu.org; run by ezmlm
Precedence: bulk
List-Id: <gcc-patches.gcc.gnu.org>
List-Unsubscribe: 
 <mailto:gcc-patches-unsubscribe-incoming=patchwork.ozlabs.org@gcc.gnu.org>
List-Archive: <http://gcc.gnu.org/ml/gcc-patches/>
List-Post: <mailto:gcc-patches@gcc.gnu.org>
List-Help: <mailto:gcc-patches-help@gcc.gnu.org>
Sender: gcc-patches-owner@gcc.gnu.org
Delivered-To: mailing list gcc-patches@gcc.gnu.org

I ran "make check" and was dismayed to see that glibc detected a
double-free.  At first I thought it must be my fault, since I'd been
removing useless tests before free, but no...

Running "valgrind ./test-expandargv" confirmed it:

  ==29710== Conditional jump or move depends on uninitialised value(s)
  ==29710==    at 0x400E14: run_replaces (test-expandargv.c:121)
  ==29710==    by 0x400F63: writeout_test (test-expandargv.c:151)
  ==29710==    by 0x401037: run_tests (test-expandargv.c:188)
  ==29710==    by 0x40124C: main (test-expandargv.c:264)


From f60778ef0f07983b0ba72ed97fe52b687de28abb Mon Sep 17 00:00:00 2001
From: Jim Meyering <meyering@redhat.com>
Date: Tue, 8 Mar 2011 13:54:13 +0100
Subject: [PATCH] avoid memory overrun in a test leading to potential double-free

* testsuite/test-expandargv.c (writeout_test): Fix off-by-one error:
i.e., do copy the trailing NUL byte.
---
 libiberty/ChangeLog                   |    6 ++++++
 libiberty/testsuite/test-expandargv.c |    2 +-
 2 files changed, 7 insertions(+), 1 deletions(-)

diff --git a/libiberty/ChangeLog b/libiberty/ChangeLog
index dc92638..802cf96 100644
--- a/libiberty/ChangeLog
+++ b/libiberty/ChangeLog
@@ -1,6 +1,12 @@
+2011-03-08  Jim Meyering  <meyering@redhat.com>
+
+	avoid memory overrun in a test leading to potential double-free
+	* testsuite/test-expandargv.c (writeout_test): Fix off-by-one error:
+	i.e., do copy the trailing NUL byte.
+
 2011-02-28  Kai Tietz  <kai.tietz@onevision.com>

 	* filename_cmp.c (filename_ncmp): New function.
 	* functions.texi: Regenerated.

 2011-02-03  Ralf Wildenhues  <Ralf.Wildenhues@gmx.de>
diff --git a/libiberty/testsuite/test-expandargv.c b/libiberty/testsuite/test-expandargv.c
index c16a032..57b96b3 100644
--- a/libiberty/testsuite/test-expandargv.c
+++ b/libiberty/testsuite/test-expandargv.c
@@ -201,13 +201,13 @@ writeout_test (int test, const char * test_data)
   /* Generate RW copy of data for replaces */
   len = strlen (test_data);
   parse = malloc (sizeof (char) * (len + 1));
   if (parse == NULL)
     fatal_error (__LINE__, "Failed to malloc parse.", errno);
       
-  memcpy (parse, test_data, sizeof (char) * len);
+  memcpy (parse, test_data, sizeof (char) * (len + 1));
   /* Run all possible replaces */
   run_replaces (parse);

   fwrite (parse, len, sizeof (char), fd);
   free (parse);
   fclose (fd);