Martin Sebor
Sun, 09 Jul 2006 14:25:34 -0700
Martin Sebor wrote:
Farid Zaripov wrote:I found that the rw_match function can address to the memory after the end of the string buffer.It calls __rw_get_char to get the last character and this function reads a character after the end of the string buffer:char.cpp line 534: if ('<' == char (ch) && 'U' == src [0] && isxdigit (src [1])) { char.cpp line 548: if ('@' == src [0] && isdigit (src [1])) { src [0] - is the place of the fail.Hmm, that does look like a subtle bug in rw_match(). Let me look into how best to fix it.
Here's a simple test case demonstrating the bug. The value returned
from rw_match() for two NUL-terminated sequences that are the same
should be the offset of the NUL character plus 1 (i.e., strlen(s0)
+ 1).
$ cat v.cpp && make v && ./v
#include <assert.h>
#include <rw_char.h>
#include <rw_printf.h>
int main ()
{
const char s0[] = "[EMAIL PROTECTED]";
const char s1[] = "[EMAIL PROTECTED]";
unsigned i = rw_match (s0, s1);
rw_printf ("%u\n", i);
assert (i == 2);
}
gcc -c -I/build/sebor/dev/stdlib/include/ansi -D_RWSTDDEBUG -pthreads
-D_RWSTD_USE_CONFIG -I/build/sebor/dev/stdlib/include
-I/build/sebor/gcc-4.1.0-15s/include -I/build/sebor/dev/stdlib/../rwtest
-I/build/sebor/dev/stdlib/../rwtest/include
-I/build/sebor/dev/stdlib/tests/include -pedantic -nostdinc++ -g -W
-Wall -Wcast-qual -Winline -Wshadow -Wwrite-strings -Wno-long-long v.cpp
gcc v.o -o v -L/build/sebor/gcc-4.1.0-15s/rwtest -lrwtest15s -pthreads
-L/build/sebor/gcc-4.1.0-15s/lib -lstd15s -lsupc++ -lm
3 Assertion failed: i == 2, file v.cpp, line 14 Abort (core dumped)