| rev |
line source |
|
Hans-G?nter@24362
|
1 From 0718b375425aad8e54e1150313b862e4c6fd324a Mon Sep 17 00:00:00 2001
|
|
Hans-G?nter@24362
|
2 From: Kevin Atkinson <kevina@gnu.org>
|
|
Hans-G?nter@24362
|
3 Date: Sat, 21 Dec 2019 20:32:47 +0000
|
|
Hans-G?nter@24362
|
4 Subject: [PATCH] objstack: assert that the alloc size will fit within a chunk
|
|
Hans-G?nter@24362
|
5 to prevent a buffer overflow
|
|
Hans-G?nter@24362
|
6
|
|
Hans-G?nter@24362
|
7 Bug found using OSS-Fuze.
|
|
Hans-G?nter@24362
|
8 ---
|
|
Hans-G?nter@24362
|
9 common/objstack.hpp | 18 ++++++++++++++----
|
|
Hans-G?nter@24362
|
10 1 file changed, 14 insertions(+), 4 deletions(-)
|
|
Hans-G?nter@24362
|
11
|
|
Hans-G?nter@24362
|
12 diff --git a/common/objstack.hpp b/common/objstack.hpp
|
|
Hans-G?nter@24362
|
13 index 3997bf7..bd97ccd 100644
|
|
Hans-G?nter@24362
|
14 --- a/common/objstack.hpp
|
|
Hans-G?nter@24362
|
15 +++ b/common/objstack.hpp
|
|
Hans-G?nter@24362
|
16 @@ -5,6 +5,7 @@
|
|
Hans-G?nter@24362
|
17 #include "parm_string.hpp"
|
|
Hans-G?nter@24362
|
18 #include <stdlib.h>
|
|
Hans-G?nter@24362
|
19 #include <assert.h>
|
|
Hans-G?nter@24362
|
20 +#include <stddef.h>
|
|
Hans-G?nter@24362
|
21
|
|
Hans-G?nter@24362
|
22 namespace acommon {
|
|
Hans-G?nter@24362
|
23
|
|
Hans-G?nter@24362
|
24 @@ -26,6 +27,12 @@ class ObjStack
|
|
Hans-G?nter@24362
|
25 byte * temp_end;
|
|
Hans-G?nter@24362
|
26 void setup_chunk();
|
|
Hans-G?nter@24362
|
27 void new_chunk();
|
|
Hans-G?nter@24362
|
28 + bool will_overflow(size_t sz) const {
|
|
Hans-G?nter@24362
|
29 + return offsetof(Node,data) + sz > chunk_size;
|
|
Hans-G?nter@24362
|
30 + }
|
|
Hans-G?nter@24362
|
31 + void check_size(size_t sz) {
|
|
Hans-G?nter@24362
|
32 + assert(!will_overflow(sz));
|
|
Hans-G?nter@24362
|
33 + }
|
|
Hans-G?nter@24362
|
34
|
|
Hans-G?nter@24362
|
35 ObjStack(const ObjStack &);
|
|
Hans-G?nter@24362
|
36 void operator=(const ObjStack &);
|
|
Hans-G?nter@24362
|
37 @@ -56,7 +63,7 @@ class ObjStack
|
|
Hans-G?nter@24362
|
38 void * alloc_bottom(size_t size) {
|
|
Hans-G?nter@24362
|
39 byte * tmp = bottom;
|
|
Hans-G?nter@24362
|
40 bottom += size;
|
|
Hans-G?nter@24362
|
41 - if (bottom > top) {new_chunk(); tmp = bottom; bottom += size;}
|
|
Hans-G?nter@24362
|
42 + if (bottom > top) {check_size(size); new_chunk(); tmp = bottom; bottom += size;}
|
|
Hans-G?nter@24362
|
43 return tmp;
|
|
Hans-G?nter@24362
|
44 }
|
|
Hans-G?nter@24362
|
45 // This alloc_bottom will insure that the object is aligned based on the
|
|
Hans-G?nter@24362
|
46 @@ -66,7 +73,7 @@ class ObjStack
|
|
Hans-G?nter@24362
|
47 align_bottom(align);
|
|
Hans-G?nter@24362
|
48 byte * tmp = bottom;
|
|
Hans-G?nter@24362
|
49 bottom += size;
|
|
Hans-G?nter@24362
|
50 - if (bottom > top) {new_chunk(); goto loop;}
|
|
Hans-G?nter@24362
|
51 + if (bottom > top) {check_size(size); new_chunk(); goto loop;}
|
|
Hans-G?nter@24362
|
52 return tmp;
|
|
Hans-G?nter@24362
|
53 }
|
|
Hans-G?nter@24362
|
54 char * dup_bottom(ParmString str) {
|
|
Hans-G?nter@24362
|
55 @@ -79,7 +86,7 @@ class ObjStack
|
|
Hans-G?nter@24362
|
56 // always be aligned as such.
|
|
Hans-G?nter@24362
|
57 void * alloc_top(size_t size) {
|
|
Hans-G?nter@24362
|
58 top -= size;
|
|
Hans-G?nter@24362
|
59 - if (top < bottom) {new_chunk(); top -= size;}
|
|
Hans-G?nter@24362
|
60 + if (top < bottom) {check_size(size); new_chunk(); top -= size;}
|
|
Hans-G?nter@24362
|
61 return top;
|
|
Hans-G?nter@24362
|
62 }
|
|
Hans-G?nter@24362
|
63 // This alloc_top will insure that the object is aligned based on
|
|
Hans-G?nter@24362
|
64 @@ -88,7 +95,7 @@ class ObjStack
|
|
Hans-G?nter@24362
|
65 {loop:
|
|
Hans-G?nter@24362
|
66 top -= size;
|
|
Hans-G?nter@24362
|
67 align_top(align);
|
|
Hans-G?nter@24362
|
68 - if (top < bottom) {new_chunk(); goto loop;}
|
|
Hans-G?nter@24362
|
69 + if (top < bottom) {check_size(size); new_chunk(); goto loop;}
|
|
Hans-G?nter@24362
|
70 return top;
|
|
Hans-G?nter@24362
|
71 }
|
|
Hans-G?nter@24362
|
72 char * dup_top(ParmString str) {
|
|
Hans-G?nter@24362
|
73 @@ -117,6 +124,7 @@ class ObjStack
|
|
Hans-G?nter@24362
|
74 void * alloc_temp(size_t size) {
|
|
Hans-G?nter@24362
|
75 temp_end = bottom + size;
|
|
Hans-G?nter@24362
|
76 if (temp_end > top) {
|
|
Hans-G?nter@24362
|
77 + check_size(size);
|
|
Hans-G?nter@24362
|
78 new_chunk();
|
|
Hans-G?nter@24362
|
79 temp_end = bottom + size;
|
|
Hans-G?nter@24362
|
80 }
|
|
Hans-G?nter@24362
|
81 @@ -131,6 +139,7 @@ class ObjStack
|
|
Hans-G?nter@24362
|
82 } else {
|
|
Hans-G?nter@24362
|
83 size_t s = temp_end - bottom;
|
|
Hans-G?nter@24362
|
84 byte * p = bottom;
|
|
Hans-G?nter@24362
|
85 + check_size(size);
|
|
Hans-G?nter@24362
|
86 new_chunk();
|
|
Hans-G?nter@24362
|
87 memcpy(bottom, p, s);
|
|
Hans-G?nter@24362
|
88 temp_end = bottom + size;
|
|
Hans-G?nter@24362
|
89 @@ -150,6 +159,7 @@ class ObjStack
|
|
Hans-G?nter@24362
|
90 } else {
|
|
Hans-G?nter@24362
|
91 size_t s = temp_end - bottom;
|
|
Hans-G?nter@24362
|
92 byte * p = bottom;
|
|
Hans-G?nter@24362
|
93 + check_size(size);
|
|
Hans-G?nter@24362
|
94 new_chunk();
|
|
Hans-G?nter@24362
|
95 memcpy(bottom, p, s);
|
|
Hans-G?nter@24362
|
96 temp_end = bottom + size;
|