Mailing-List:	contact cygwin-help AT sourceware DOT cygnus DOT com; run by ezmlm
List-Subscribe:	<mailto:cygwin-subscribe AT sources DOT redhat DOT com>
List-Archive:	<http://sources.redhat.com/ml/cygwin/>
List-Post:	<mailto:cygwin AT sources DOT redhat DOT com>
List-Help:	<mailto:cygwin-help AT sources DOT redhat DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender:	cygwin-owner AT sources DOT redhat DOT com
Delivered-To:	mailing list cygwin AT sources DOT redhat DOT com
Date:	Tue, 20 Feb 2001 15:12:05 +0000 (GMT)
From:	Reuben Thomas <rrt1001 AT cam DOT ac DOT uk>
X-X-Sender:	<rrt AT localhost DOT localdomain>
To:	<cygwin AT cygwin DOT com>
Subject:	mingw > 20001111: fstat bug: buffer overflow?
Message-ID:	<Pine.LNX.4.33.0102201240330.1238-100000@localhost.localdomain>
MIME-Version:	1.0

In mingw versions later than 20001111, i.e. 20001225 and 20010130, fstat
seems to overrun the stat buffer passed to it. This is illustrated by the
following program, in which if a simple struct stat is passed to test, foo
crashes when it tries to return (presumably the return address is
overwritten). If a struct bar (with extra padding before and after the
struct stat) is used instead, there is no error.

From looking at /usr/include/mingw/stat.h, it seems that there are at least
two different versions of struct stat in play, potentially with different
types, but I don't claim to understand what's going on.

#include <stddef.h>
#include <stdio.h>
#include <sys/stat.h>

struct bar {
  double a;
  struct stat sb;
  double b;
};

int test(void) {
/* either */
  struct bar s;
  printf("%d\n", fstat(1, &(s.sb)));
/* or
  struct stat sb;
  printf("%d\n", fstat(1, &sb));
*/
  return 0;
}

int foo(void) {
  fprintf(stderr, "%d\n", test());
  fflush(stderr);
  return 1;
}

int main(void) {
  printf("%d\n", foo());
  return 0;
}



--
Want to unsubscribe from this list?
Check out: http://cygwin.com/ml/#unsubscribe-simple

- Raw text -