X-Authentication-Warning: delorie.com: mail set sender to djgpp-workers-bounces using -f X-Recipient: djgpp AT delorie DOT com X-Recipient: djgpp-workers AT delorie DOT com X-Original-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=Ik0Duk3gqSKDiRLbF8ljxTMQbW3h99jR7Lbqrfol/qY=; b=bBYtbD+8qAM0AnL/uCGRCYpVKbgiCe6GRotcg8TaKHMyFMSha2FFH5Gn8Twufhu2qm iru83rqq34cK96yz8m5jyk7OR/uHFE+8p/XjLtda37HFp2+QnQ6z3YtedWeO5JARR4+P HvZII5VAtqF0CJ+jd/UNHS0w3IvcKuwkoRcqlLR2hbVbqBQ90Q4/mtfp/tiKZHqSj5Ar kXggmV5Wsqi7n+izWgBJqjjH3U7iDNac9DVWnkxFCUdQqLq0Lt2jlOxPRoC8EN2ui9fz /u34g/hoF+6P8rIXef6VDvWlIhRcwgk88OZ5dQ/03Pf0KkFUYG6MTu3gABk4YMo96FtD /wTw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=Ik0Duk3gqSKDiRLbF8ljxTMQbW3h99jR7Lbqrfol/qY=; b=G0FPxx+Us4PbkWPw8dejFGklnDO6u2pENocfw2KJBdm2hbDYXXNKgJmK8wcvAWan/7 Yvqd6VUAQlTl/ygUkYjcIw771hAGpEuPwVezkZZCc8u39arr0sjOP0LF+DHf0jFvfb4K sBIQ4DtcO1fBY2a0tHIFnMmU17ZUoYs5kMrc19WfBirKHAzH9juZyRR0xNwuedcLUFlI XoJ/+sHvz0SFVI+PDCT4UBAy9tTHP/O7urgQ9Kkg+nLaA4Ib8F4HGOBxbujpFdD4U+Or J9R0/szwoxK2ZbcVgtZna9semcUglUtYV8vQ9XtfMubL6akkd/pd9uDxZDpexWFOHLeu Kmkw== X-Gm-Message-State: AODbwcB3v6AizVLizi7mDb9bTX9ZEaQu8CULQOHOD7p96QarA/N86iEw z8Y+5dDOv10NjsenUeMn82fKylJQww== X-Received: by 10.237.42.102 with SMTP id k35mr12552845qtf.58.1494952743683; Tue, 16 May 2017 09:39:03 -0700 (PDT) MIME-Version: 1.0 From: "Ozkan Sezer (sezeroz AT gmail DOT com) [via djgpp-workers AT delorie DOT com]" Date: Tue, 16 May 2017 19:39:03 +0300 Message-ID: Subject: dxe3gen patch: replace memcmp with strncmp To: djgpp AT delorie DOT com, djgpp-workers AT delorie DOT com Content-Type: text/plain; charset="UTF-8" Reply-To: djgpp-workers AT delorie DOT com When dxe3gen is built from current source with -fsanitize=address, asan (from gcc-4.9.4) aborts with the following: ==7887==ERROR: AddressSanitizer: stack-buffer-overflow on address 0xbf98b830 at pc 0x80b1f76 bp 0xbf98b6e8 sp 0xbf98b6dc READ of size 11 at 0xbf98b830 thread T0 #0 0x80b1f75 in write_dxe /home/sezero/djgpp-cvs/src/dxe/dxe3gen.c:1178 #1 0x80b47dd in main /home/sezero/djgpp-cvs/src/dxe/dxe3gen.c:1639 #2 0x6f0f5d5 in __libc_start_main (/lib/libc.so.6+0x6f0f5d5) #3 0x804e1a0 (/home/sezero/proj/dxe3gen+0x804e1a0) Address 0xbf98b830 is located in stack of thread T0 at offset 160 in frame #0 0x80b01b6 in write_dxe /home/sezero/djgpp-cvs/src/dxe/dxe3gen.c:931 This frame has 6 object(s): [32, 36) 'stsz' [96, 100) 'real_nrelocs' [160, 169) 'tmp' <== Memory access at offset 160 partially overflows this variable [224, 240) 'fill' [288, 328) 'sc' [384, 464) 'dh' HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow /home/sezero/djgpp-cvs/src/dxe/dxe3gen.c:1178 write_dxe Shadow bytes around the buggy address: 0x37f316b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x37f316c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x37f316d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x37f316e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x37f316f0: 00 00 f1 f1 f1 f1 04 f4 f4 f4 f2 f2 f2 f2 04 f4 =>0x37f31700: f4 f4 f2 f2 f2 f2[00]01 f4 f4 f2 f2 f2 f2 00 00 0x37f31710: f4 f4 f2 f2 f2 f2 00 00 00 00 00 f4 f4 f4 f2 f2 0x37f31720: f2 f2 00 00 00 00 00 00 00 00 00 00 f4 f4 f3 f3 0x37f31730: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 0x37f31740: f1 f1 00 00 04 f4 f3 f3 f3 f3 00 00 00 00 00 00 0x37f31750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal: fe ==7887==ABORTING Replacing two memcmp() calls with strncmp() cures this, as in the following patch. If no one objects, I'd like to apply this tomorrow or the the day after. Index: src/dxe/dxe3gen.c =================================================================== RCS file: /cvs/djgpp/djgpp/src/dxe/dxe3gen.c,v retrieving revision 1.24 diff -u -p -r1.24 dxe3gen.c --- src/dxe/dxe3gen.c 30 Apr 2017 08:03:04 -0000 1.24 +++ src/dxe/dxe3gen.c 16 May 2017 16:28:28 -0000 @@ -1160,7 +1160,7 @@ static int write_dxe(FILE *inf, FILE *ou BOOL ok = FALSE; for (j = 0; j < opt.num_excl; j++) { - if (memcmp(opt.excl_prefix[j], name, strlen(opt.excl_prefix[j])) == 0) + if (strncmp(opt.excl_prefix[j], name, strlen(opt.excl_prefix[j])) == 0) { ok = TRUE; break; @@ -1175,7 +1175,7 @@ static int write_dxe(FILE *inf, FILE *ou BOOL ok = FALSE; for (j = 0; j < opt.num_prefix; j++) { - if (memcmp(opt.export_prefix[j], name, strlen(opt.export_prefix[j])) == 0) + if (strncmp(opt.export_prefix[j], name, strlen(opt.export_prefix[j])) == 0) { ok = TRUE; break; -- O.S.