GNU bug report logs - #18269
incorrect undossify_input prototype - possible integer overflow

Previous Next

Package: grep;

Reported by: Vincent Lefevre <vincent <at> vinc17.net>

Date: Fri, 15 Aug 2014 00:57:01 UTC

Severity: normal

Done: Paul Eggert <eggert <at> cs.ucla.edu>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Paul Eggert <eggert <at> cs.ucla.edu>
Cc: tracker <at> debbugs.gnu.org
Subject: bug#18269: closed (incorrect undossify_input prototype - possible
 integer overflow)
Date: Fri, 15 Aug 2014 01:42:02 +0000

[Message part 1 (text/plain, inline)]
Your message dated Thu, 14 Aug 2014 18:41:32 -0700
with message-id <53ED654C.4070004 <at> cs.ucla.edu>
and subject line Re: bug#18269: incorrect undossify_input prototype - possible integer overflow
has caused the debbugs.gnu.org bug report #18269,
regarding incorrect undossify_input prototype - possible integer overflow
to be marked as done.

(If you believe you have received this mail in error, please contact
help-debbugs <at> gnu.org.)


-- 
18269: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=18269
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]
From: Vincent Lefevre <vincent <at> vinc17.net>
To: bug-grep <at> gnu.org
Subject: incorrect undossify_input prototype - possible integer overflow
Date: Fri, 15 Aug 2014 02:56:19 +0200

In grep 2.20, grep.c contains:

  ssize_t fillsize;
  size_t readsize;
[...]
  fillsize = safe_read (bufdesc, readbuf, readsize);
  if (fillsize < 0)
    fillsize = cc = 0;
  bufoffset += fillsize;
  fillsize = undossify_input (readbuf, fillsize);

In practice, readsize can be large on a 64-bit machine (more than
2 GB), so that the return value of safe_read(), fillsize, can also
be large since a read() is called with readsize as the 3rd argument.
But dosbuf.c has:

static int
undossify_input (char *buf, size_t buflen)
{
  if (! O_BINARY)
    return buflen;
[...]

meaning that the potentially large buflen (> 2 GB) is returned as an
int, whose usual size is 32 bits only, yielding an integer overflow.

undossify_input should be rewritten in such a way that some int's are
changed to size_t or ssize_t.

Note: This bug is currently not visible under Linux due to a limitation
in the kernel (breaking POSIX compliance, BTW): the read() return value
is limited to 0x7ffff000.

-- 
Vincent Lefèvre <vincent <at> vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)



[Message part 3 (message/rfc822, inline)]
From: Paul Eggert <eggert <at> cs.ucla.edu>
To: Vincent Lefevre <vincent <at> vinc17.net>, 18269-done <at> debbugs.gnu.org
Subject: Re: bug#18269: incorrect undossify_input prototype - possible integer
 overflow
Date: Thu, 14 Aug 2014 18:41:32 -0700

[Message part 4 (text/plain, inline)]
Thanks for reporting that.  Plus, there's a related bug in the use of 
safe_read.  I fixed them both with the attached patch.

[0001-grep-fix-integer-width-bugs-in-undossify_input-etc.patch (text/plain, attachment)]
This bug report was last modified 10 years and 313 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.