GNU bug report logs - #19563
grep -F: fix a heap buffer (read) overrun

Previous Next

Full log

Message #20 received at 19563 <at> debbugs.gnu.org (full text, mbox):

From: Norihiro Tanaka <noritnk <at> kcn.ne.jp>
To: Jim Meyering <jim <at> meyering.net>
Cc: 19563 <at> debbugs.gnu.org, Yuliy Pisetsky <ypisetsky <at> fb.com>,
 Nima Aghdaii <naghdaii <at> fb.com>
Subject: Re: bug#19563: grep -F: fix a heap buffer (read) overrun
Date: Mon, 12 Jan 2015 11:31:44 +0900

On Sun, 11 Jan 2015 17:49:22 -0800
Jim Meyering <jim <at> meyering.net> wrote:

> On Sun, Jan 11, 2015 at 4:31 PM, Norihiro Tanaka <noritnk <at> kcn.ne.jp> wrote:
> ...
> > How about the attachments instead for the second patch?
> 
> Thank you for the suggestion.
> 
> However, I do not see a problem with Yuliy's fix, so have pushed it,
> along with the other two commits.
> 
> Comparing your change to Yuliy's, I have a slight preference
> for his, since it adds work only to the rarely-used code path on
> which this bug was introduced, and keeps the handling of
> "out of bounds TP" closer to the code that makes TP too large.
> 
> If you can provide justification for this proposed change,
> would you please do so in the commit log of a rebased patch?

I understood.  However, if fill d == 0 before reach in memchr(), even if
fill ep <= tp, bm_delta2_search() can be called, and it is not buggy.
So It is difficult for me to understand that we must exit the loop if
tp <= ep  at the point, although I understand that his fix is correct.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.