GNU bug report logs - #18269
incorrect undossify_input prototype - possible integer overflow

Previous Next

Package: grep;

Reported by: Vincent Lefevre <vincent <at> vinc17.net>

Date: Fri, 15 Aug 2014 00:57:01 UTC

Severity: normal

Done: Paul Eggert <eggert <at> cs.ucla.edu>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Vincent Lefevre <vincent <at> vinc17.net>
Subject: bug#18269: closed (Re: bug#18269: incorrect undossify_input
 prototype - possible integer overflow)
Date: Fri, 15 Aug 2014 01:42:03 +0000

[Message part 1 (text/plain, inline)]
Your bug report

#18269: incorrect undossify_input prototype - possible integer overflow

which was filed against the grep package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 18269 <at> debbugs.gnu.org.

-- 
18269: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=18269
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]
From: Paul Eggert <eggert <at> cs.ucla.edu>
To: Vincent Lefevre <vincent <at> vinc17.net>, 18269-done <at> debbugs.gnu.org
Subject: Re: bug#18269: incorrect undossify_input prototype - possible integer
 overflow
Date: Thu, 14 Aug 2014 18:41:32 -0700

[Message part 3 (text/plain, inline)]
Thanks for reporting that.  Plus, there's a related bug in the use of 
safe_read.  I fixed them both with the attached patch.

[0001-grep-fix-integer-width-bugs-in-undossify_input-etc.patch (text/plain, attachment)]
[Message part 5 (message/rfc822, inline)]
From: Vincent Lefevre <vincent <at> vinc17.net>
To: bug-grep <at> gnu.org
Subject: incorrect undossify_input prototype - possible integer overflow
Date: Fri, 15 Aug 2014 02:56:19 +0200

In grep 2.20, grep.c contains:

  ssize_t fillsize;
  size_t readsize;
[...]
  fillsize = safe_read (bufdesc, readbuf, readsize);
  if (fillsize < 0)
    fillsize = cc = 0;
  bufoffset += fillsize;
  fillsize = undossify_input (readbuf, fillsize);

In practice, readsize can be large on a 64-bit machine (more than
2 GB), so that the return value of safe_read(), fillsize, can also
be large since a read() is called with readsize as the 3rd argument.
But dosbuf.c has:

static int
undossify_input (char *buf, size_t buflen)
{
  if (! O_BINARY)
    return buflen;
[...]

meaning that the potentially large buflen (> 2 GB) is returned as an
int, whose usual size is 32 bits only, yielding an integer overflow.

undossify_input should be rewritten in such a way that some int's are
changed to size_t or ssize_t.

Note: This bug is currently not visible under Linux due to a limitation
in the kernel (breaking POSIX compliance, BTW): the read() return value
is limited to 0x7ffff000.

-- 
Vincent Lefèvre <vincent <at> vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
This bug report was last modified 10 years and 278 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.