Mailing-List: contact cygwin-help@sourceware.cygnus.com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe@sources.redhat.com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin@sources.redhat.com>
List-Help: <mailto:cygwin-help@sources.redhat.com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner@sources.redhat.com
Delivered-To: mailing list cygwin@sources.redhat.com
Date: Tue, 20 Feb 2001 15:12:05 +0000 (GMT)
From: Reuben Thomas <rrt1001@cam.ac.uk>
X-X-Sender:  <rrt@localhost.localdomain>
To: <cygwin@cygwin.com>
Subject: mingw > 20001111: fstat bug: buffer overflow?
Message-ID: <Pine.LNX.4.33.0102201240330.1238-100000@localhost.localdomain>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

In mingw versions later than 20001111, i.e. 20001225 and 20010130, fstat
seems to overrun the stat buffer passed to it. This is illustrated by the
following program, in which if a simple struct stat is passed to test, foo
crashes when it tries to return (presumably the return address is
overwritten). If a struct bar (with extra padding before and after the
struct stat) is used instead, there is no error.

From looking at /usr/include/mingw/stat.h, it seems that there are at least
two different versions of struct stat in play, potentially with different
types, but I don't claim to understand what's going on.

#include <stddef.h>
#include <stdio.h>
#include <sys/stat.h>

struct bar {
  double a;
  struct stat sb;
  double b;
};

int test(void) {
/* either */
  struct bar s;
  printf("%d\n", fstat(1, &(s.sb)));
/* or
  struct stat sb;
  printf("%d\n", fstat(1, &sb));
*/
  return 0;
}

int foo(void) {
  fprintf(stderr, "%d\n", test());
  fflush(stderr);
  return 1;
}

int main(void) {
  printf("%d\n", foo());
  return 0;
}



--
Want to unsubscribe from this list?
Check out: http://cygwin.com/ml/#unsubscribe-simple