Mailing-List: contact cygwin-help AT sourceware DOT cygnus DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT sources DOT redhat DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT sources DOT redhat DOT com>
List-Help: <mailto:cygwin-help AT sources DOT redhat DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT sources DOT redhat DOT com
Delivered-To: mailing list cygwin AT sources DOT redhat DOT com
Date: Tue, 20 Feb 2001 15:12:05 +0000 (GMT)
From: Reuben Thomas <rrt1001 AT cam DOT ac DOT uk>
X-X-Sender:  <rrt AT localhost DOT localdomain>
To: <cygwin AT cygwin DOT com>
Subject: mingw > 20001111: fstat bug: buffer overflow?
Message-ID: <Pine.LNX.4.33.0102201240330.1238-100000@localhost.localdomain>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

In mingw versions later than 20001111, i.e. 20001225 and 20010130, fstat
seems to overrun the stat buffer passed to it. This is illustrated by the
following program, in which if a simple struct stat is passed to test, foo
crashes when it tries to return (presumably the return address is
overwritten). If a struct bar (with extra padding before and after the
struct stat) is used instead, there is no error.

From looking at /usr/include/mingw/stat.h, it seems that there are at least
two different versions of struct stat in play, potentially with different
types, but I don't claim to understand what's going on.

#include <stddef.h>
#include <stdio.h>
#include <sys/stat.h>

struct bar {
  double a;
  struct stat sb;
  double b;
};

int test(void) {
/* either */
  struct bar s;
  printf("%d\n", fstat(1, &(s.sb)));
/* or
  struct stat sb;
  printf("%d\n", fstat(1, &sb));
*/
  return 0;
}

int foo(void) {
  fprintf(stderr, "%d\n", test());
  fflush(stderr);
  return 1;
}

int main(void) {
  printf("%d\n", foo());
  return 0;
}



--
Want to unsubscribe from this list?
Check out: http://cygwin.com/ml/#unsubscribe-simple