[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug #35699] NSStrings can point into garbage memory (misuse of app-supp
From: |
Jens Alfke |
Subject: |
[bug #35699] NSStrings can point into garbage memory (misuse of app-supplied backing buffer) |
Date: |
Fri, 02 Mar 2012 18:21:40 +0000 |
User-agent: |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/535.22 (KHTML, like Gecko) Chrome/19.0.1049.3 Safari/535.22 |
URL:
<http://savannah.gnu.org/bugs/?35699>
Summary: NSStrings can point into garbage memory (misuse of
app-supplied backing buffer)
Project: GNUstep
Submitted by: snej
Submitted on: Fri 02 Mar 2012 06:21:39 PM GMT
Category: Base/Foundation
Severity: 3 - Normal
Item Group: Bug
Status: None
Privacy: Public
Assigned to: None
Open/Closed: Open
Discussion Lock: Any
_______________________________________________________
Details:
NSString is insufficiently careful in its use of externally-provided buffers
(i.e. passed to -initWithBytesNoCopy:). Substrings created from such a string
apparently point into the same temporary buffer, even after the original
string is released, meaning that their contents become garbage as soon as the
buffer contents become invalid.
In the test case below, the contents of the NSString 'substr' change if the
temporary buffer is modified, even after the original string created from that
buffer is released. This is of course likely to lead to very nasty side
effects later on.
I don't know the details of Apple's NSString implementation, but my
understanding is that the -substringWithRange: method should not allow the
string it returns to share a buffer with the original string, when the
original string uses ephemeral user-supplied memory.
TEST CASE
void test(void)
{
char buffer[] = "I HAZ A BUFFER";
NSString* str = [[NSString alloc] initWithBytesNoCopy: buffer
length: strlen(buffer)
encoding:
NSUTF8StringEncoding
freeWhenDone: NO];
NSString* substr = [str substringWithRange: NSMakeRange(2, 3)];
NSLog(@"substr = '%@'", substr);
NSAssert([substr isEqualToString: @"HAZ"], @"bad substr");
[str release]; // after this point nothing should be using the contents
of buffer[]!
memset(buffer, '*', sizeof(buffer));
NSLog(@"substr = '%@'", substr);
NSAssert([substr isEqualToString: @"HAZ"], @"bad substr");
}
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/bugs/?35699>
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
- [bug #35699] NSStrings can point into garbage memory (misuse of app-supplied backing buffer),
Jens Alfke <=