[ nedit-Bugs-2858723 ] Off by one error causes crash with certain optimizations

SourceForge.net noreply at sourceforge.net
Mon Sep 14 19:47:06 CEST 2009 

Bugs item #2858723, was opened at 2009-09-14 12:47
Message generated for change (Tracker Item Submitted) made by eteran
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=111005&aid=2858723&group_id=11005

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: None
Group: None
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: Evan Teran (eteran)
Assigned to: Nobody/Anonymous (nobody)
Summary: Off by one error causes crash with certain optimizations

Initial Comment:
regularExp.c contains an off by one error. Default_Delimiters is defined as


static unsigned char  Default_Delimiters [UCHAR_MAX] = {0};

Note, that UCHAR_MAX == 255 on most architectures. Later, makeDelimiterTable does the following on line 4089:

memset (table, 0, 256);

This overwrites one byte of an adjacent variable with 0, Most likely the Current_Delimiters variable. When compiling with "-O2 -finline-functions" this will cause a crash. (Also some versions of gcc will give a warning about the buffer overflow:

In file included from /usr/include/string.h:640,                                                                                                                
                 from regularExp.c:83:                                                                                                                          
In function \u2018memset\u2019,                                                                                                                                           
    inlined from \u2018SetREDefaultWordDelimiters\u2019 at regularExp.c:4089:                                                                                             
/usr/include/bits/string3.h:85: warning: call to __builtin___memset_chk will always overflow destination buffer  

Changing the declaration to be:

static unsigned char  Default_Delimiters [UCHAR_MAX + 1] = {0};

or

static unsigned char  Default_Delimiters [256] = {0}; /* since we are using magic numbers later, why not just hard code it! */

solves the problem

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=111005&aid=2858723&group_id=11005

More information about the Develop mailing list