[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
cvs bug -- write/read beyond end of allocated area
From: |
David Taylor |
Subject: |
cvs bug -- write/read beyond end of allocated area |
Date: |
Wed, 30 Mar 2011 10:52:28 -0400 |
Running the testsuite, cvs was aborting in test basica-o7.
If I ran the same command outside of the testsuite, it ran fine.
During my investigations, I ran it under valgrind and it found a problem
in gpg.c (parse_signature_subpacket) -- cvs is writing (and then
reading) past the end of the allocated area. Visual inspection revealed
a 2nd, very similar, problem in the same function -- in both cases it
allocates room for 4 bytes and writes 5. Oops.
Here's a patch (cvs diff -u) against the trunk. After applying this
patch, valgrind no longer complains and basica-o7 passes rather than
abort.
Index: gpg.c
===================================================================
RCS file: /sources/cvs/ccvs/src/gpg.c,v
retrieving revision 1.4
diff -u -r1.4 gpg.c
--- gpg.c 24 May 2006 16:38:50 -0000 1.4
+++ gpg.c 30 Mar 2011 14:51:10 -0000
@@ -404,7 +404,7 @@
size_t raw_idx = 0;
/* Enough to store the subpacket length. */
- spout->raw = xmalloc (4);
+ spout->raw = xmalloc (5);
if ((rc = read_u8 (bpin, &c)))
return rc;
@@ -435,7 +435,7 @@
error (1, 0, "Received zero length subpacket in OpenPGP signature.");
/* Allocate enough bytes for the rest of the subpacket. */
- spout->raw = xrealloc (spout->raw, splen);
+ spout->raw = xrealloc (spout->raw, splen + 1);
/* Read the subpacket type. */
if ((rc = read_u8 (bpin, &c)))
David
- cvs bug -- write/read beyond end of allocated area,
David Taylor <=