[Bug gcov-profile/92382] New: variable double-definition in routine replace_filename_variables of libgcc/libgcov-driver-system.c

[qinzhao at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=92382

            Bug ID: 92382
           Summary: variable double-definition in routine
                    replace_filename_variables of
                    libgcc/libgcov-driver-system.c
           Product: gcc
           Version: 10.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: gcov-profile
          Assignee: unassigned at gcc dot gnu.org
          Reporter: qinzhao at gcc dot gnu.org
                CC: marxin at gcc dot gnu.org
  Target Milestone: ---

In the routine replace_filename_variables of libgcc/libgcov-driver-system.c:

145 static char *
146 replace_filename_variables (char *filename)
147 {
148   char buffer[16];
149   char empty[] = "";
150   for (char *p = filename; *p != '\0'; p++)
151     {
152       unsigned length = strlen (filename);
153       if (*p == '%' && *(p + 1) != '\0')
154         {
155           unsigned start = p - filename;
156           p++;
157           char *replacement = NULL;
158           switch (*p)
159             {
160             case 'p':
161               sprintf (buffer, "%d", getpid ());
162               replacement = buffer;
163               p++;
164               break;
165             case 'q':
166               if (*(p + 1) == '{')
167                 {
168                   p += 2;
169                   char *e = strchr (p, '}');
170                   if (e)
171                     {
172                       *e = '\0';
173                       replacement = getenv (p);
174                       if (replacement == NULL)
175                         replacement = empty;
176                       p = e + 1;
177                     }
178                   else
179                     return filename;
180                 }
181               break;
182             default:
183               return filename;
184             }
185 
186           /* Concat beginning of the path, replacement and
187              ending of the path.  */
188           unsigned end = length - (p - filename);
189           unsigned repl_length = replacement != NULL ? strlen (replacement)
: 0;
190 
191           char *buffer = (char *)xmalloc (start + end + repl_length + 1);
192           char *buffer_ptr = buffer;
193           buffer_ptr = (char *)memcpy (buffer_ptr, filename, start);
194           buffer_ptr += start;
195           if (replacement != NULL)
196             buffer_ptr = (char *)memcpy (buffer_ptr, replacement,
repl_length);
197           buffer_ptr += repl_length;
198           buffer_ptr = (char *)memcpy (buffer_ptr, p, end);
199           buffer_ptr += end;
200           *buffer_ptr = '\0';
201 
202           free (filename);
203           filename = buffer;
204           p = buffer + start + repl_length;
205         }
206     }
207 
208   return filename;
209 }

The major issue in the above code is:  the "buffer" is redefined: 

At line 148, "buffer" is defined outside the loop, the intend usage of this 
"buffer" is at line 161 and 162 to hold the process id string for the 
replacement of "%p"; 

However, At line 191, inside this same loop, "buffer" is defined again and 
initialized to hold the new name of the whole filename, and the lifetime of 
this "buffer" will overwrite the other "buffer" defined outside of the loop.   

the fix to this problem is to rename the second "buffer" of line 183 to 
another different name.