[ nedit-Bugs-2858723 ] Off by one error causes crash with certain optimizations

SourceForge.net noreply at sourceforge.net
Mon Sep 14 21:22:32 CEST 2009 

Bugs item #2858723, was opened at 2009-09-14 19:47
Message generated for change (Settings changed) made by edg
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=111005&aid=2858723&group_id=11005

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
>Category: Program
>Group: release
>Status: Closed
>Resolution: Fixed
Priority: 5
Private: No
Submitted By: Evan Teran (eteran)
>Assigned to: Eddy De Greef (edg)
Summary: Off by one error causes crash with certain optimizations

Initial Comment:
regularExp.c contains an off by one error. Default_Delimiters is defined as


static unsigned char  Default_Delimiters [UCHAR_MAX] = {0};

Note, that UCHAR_MAX == 255 on most architectures. Later, makeDelimiterTable does the following on line 4089:

memset (table, 0, 256);

This overwrites one byte of an adjacent variable with 0, Most likely the Current_Delimiters variable. When compiling with "-O2 -finline-functions" this will cause a crash. (Also some versions of gcc will give a warning about the buffer overflow:

In file included from /usr/include/string.h:640,                                                                                                                
                 from regularExp.c:83:                                                                                                                          
In function \u2018memset\u2019,                                                                                                                                           
    inlined from \u2018SetREDefaultWordDelimiters\u2019 at regularExp.c:4089:                                                                                             
/usr/include/bits/string3.h:85: warning: call to __builtin___memset_chk will always overflow destination buffer  

Changing the declaration to be:

static unsigned char  Default_Delimiters [UCHAR_MAX + 1] = {0};

or

static unsigned char  Default_Delimiters [256] = {0}; /* since we are using magic numbers later, why not just hard code it! */

solves the problem

----------------------------------------------------------------------

>Comment By: Eddy De Greef (edg)
Date: 2009-09-14 21:22

Message:
I've added the fix to CVS. Thanks.

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=111005&aid=2858723&group_id=11005

More information about the Develop mailing list