From patchwork Fri Sep 8 10:18:24 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arnaud Charlet X-Patchwork-Id: 811480 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=gcc.gnu.org (client-ip=209.132.180.131; helo=sourceware.org; envelope-from=gcc-patches-return-461720-incoming=patchwork.ozlabs.org@gcc.gnu.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=gcc.gnu.org header.i=@gcc.gnu.org header.b="Kn0/xIia"; dkim-atps=neutral Received: from sourceware.org (server1.sourceware.org [209.132.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3xpYFL6lGzz9s71 for ; Fri, 8 Sep 2017 20:18:46 +1000 (AEST) DomainKey-Signature: a=rsa-sha1; c=nofws; d=gcc.gnu.org; h=list-id :list-unsubscribe:list-archive:list-post:list-help:sender:date :from:to:cc:subject:message-id:mime-version:content-type; q=dns; s=default; b=W6wbc6DKvagbcod0kTXuoxLi//IT/Kml6b8g6oC3Vcg09YghSf bb6+5+DkZSv/d/Cyi9yBjreMproIqdypWH7GSxTVY7lkzW8tYuOwgpfoXejXB6Tj 8CRDULt7DAUHpqYP9WPgS5OEh05IjxbB530+Yamz/kIHvR06cdE1cSN1I= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=gcc.gnu.org; h=list-id :list-unsubscribe:list-archive:list-post:list-help:sender:date :from:to:cc:subject:message-id:mime-version:content-type; s= default; bh=w7sQ9k6yzBIq779TchYAchVYn2M=; b=Kn0/xIiarqhRtY2eUBbz jQmXgg7EWA0NVeBEtjSp2aAe7jvgcrNVtv6MXOLJPfUFoeiVbji+iJ18Frr+zCfo Uh0ZyD2ZcGEMjOR50yl+DFSLUqXIr+rj/4BxDsrxCJf1cDON5Pv0tY83nbKd9bGV QOue025nb8teY/9GAfTuUUs= Received: (qmail 16686 invoked by alias); 8 Sep 2017 10:18:32 -0000 Mailing-List: contact gcc-patches-help@gcc.gnu.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Archive: List-Post: List-Help: Sender: gcc-patches-owner@gcc.gnu.org Delivered-To: mailing list gcc-patches@gcc.gnu.org Received: (qmail 16541 invoked by uid 89); 8 Sep 2017 10:18:31 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-16.1 required=5.0 tests=BAYES_00, GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3, KAM_ASCII_DIVIDERS, RCVD_IN_DNSWL_NONE, SPF_PASS autolearn=ham version=3.3.2 spammy=7319 X-HELO: rock.gnat.com Received: from rock.gnat.com (HELO rock.gnat.com) (205.232.38.15) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Fri, 08 Sep 2017 10:18:26 +0000 Received: from localhost (localhost.localdomain [127.0.0.1]) by filtered-rock.gnat.com (Postfix) with ESMTP id CACDE56261; Fri, 8 Sep 2017 06:18:24 -0400 (EDT) Received: from rock.gnat.com ([127.0.0.1]) by localhost (rock.gnat.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 4yzPHVRPqbHQ; Fri, 8 Sep 2017 06:18:24 -0400 (EDT) Received: from tron.gnat.com (tron.gnat.com [IPv6:2620:20:4000:0:46a8:42ff:fe0e:e294]) by rock.gnat.com (Postfix) with ESMTP id BA4F856126; Fri, 8 Sep 2017 06:18:24 -0400 (EDT) Received: by tron.gnat.com (Postfix, from userid 4192) id B963A505; Fri, 8 Sep 2017 06:18:24 -0400 (EDT) Date: Fri, 8 Sep 2017 06:18:24 -0400 From: Arnaud Charlet To: gcc-patches@gcc.gnu.org Cc: Bob Duff Subject: [Ada] T'Class'Input reading corrupted data Message-ID: <20170908101824.GA49329@adacore.com> MIME-Version: 1.0 Content-Disposition: inline User-Agent: Mutt/1.5.23 (2014-03-12) If T'Class'Input is called on a stream containing data that does not look like it comes from T'Class'Output, it could crash. This patch fixes that bug by making sure it raises an exception. Tested on x86_64-pc-linux-gnu, committed on trunk 2017-09-08 Bob Duff * a-tags.adb (Internal_Tag): Unsuppress checks, so we get exceptions instead of crashes. Check for absurdly long strings and empty strings. Empty strings cause trouble because they can have super-null ranges (e.g. 100..10), which causes Ext_Copy to be empty, which causes an array index out of bounds. * s-ststop.adb (Input): Unsuppress checks, so we get exceptions instead of crashes. Index: a-tags.adb =================================================================== --- a-tags.adb (revision 251863) +++ a-tags.adb (working copy) @@ -641,10 +641,22 @@ Header_Separator : constant Character := '#'; function Internal_Tag (External : String) return Tag is - Ext_Copy : aliased String (External'First .. External'Last + 1); - Res : Tag := null; + pragma Unsuppress (All_Checks); + -- To make T'Class'Input robust in the case of bad data + Res : Tag := null; + begin + -- Raise Tag_Error for empty strings, and for absurdly long strings. + -- This is to make T'Class'Input robust in the case of bad data, for + -- example a String(123456789..1234). The limit of 10,000 characters is + -- arbitrary, but is unlikely to be exceeded by legitimate external tag + -- names. + + if External'Length not in 1 .. 10_000 then + raise Tag_Error; + end if; + -- Handle locally defined tagged types if External'Length > Internal_Tag_Header'Length @@ -731,9 +743,14 @@ else -- Make NUL-terminated copy of external tag string - Ext_Copy (External'Range) := External; - Ext_Copy (Ext_Copy'Last) := ASCII.NUL; - Res := External_Tag_HTable.Get (Ext_Copy'Address); + declare + Ext_Copy : aliased String (External'First .. External'Last + 1); + pragma Assert (Ext_Copy'Length > 1); -- See Length check at top + begin + Ext_Copy (External'Range) := External; + Ext_Copy (Ext_Copy'Last) := ASCII.NUL; + Res := External_Tag_HTable.Get (Ext_Copy'Address); + end; end if; if Res = null then Index: s-ststop.adb =================================================================== --- s-ststop.adb (revision 251863) +++ s-ststop.adb (working copy) @@ -6,7 +6,7 @@ -- -- -- B o d y -- -- -- --- Copyright (C) 2008-2013, Free Software Foundation, Inc. -- +-- Copyright (C) 2008-2017, Free Software Foundation, Inc. -- -- -- -- GNAT is free software; you can redistribute it and/or modify it under -- -- terms of the GNU General Public License as published by the Free Soft- -- @@ -128,17 +128,20 @@ (Strm : access Root_Stream_Type'Class; IO : IO_Kind) return Array_Type is + pragma Unsuppress (All_Checks); + -- To make T'Class'Input robust in the case of bad data. The + -- declaration of Item below could raise Storage_Error if the length + -- is huge. begin if Strm = null then raise Constraint_Error; end if; declare - Low : Index_Type; - High : Index_Type; - + Low, High : Index_Type'Base; begin - -- Read the bounds of the string + -- Read the bounds of the string. Note that they could be out of + -- range of Index_Type in the case of empty arrays. Index_Type'Read (Strm, Low); Index_Type'Read (Strm, High);