[jira] Commented: (STDCXX-857) unexpected assertion from _rw_bufcat

Fri, 11 Apr 2008 18:36:02 -0700 

    [ 
https://issues.apache.org/jira/browse/STDCXX-857?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12588183#action_12588183
 ] 

Travis Vitek commented on STDCXX-857:
-------------------------------------


Internally the {{rw_asnprintf()}} routine will reallocate the destination 
buffer with a call to {{_rw_bufcat()}}. After the reallocation happens, we 
check some guard bytes to verify the buffer was not overflowed, and then we 
free it. There are two problems. First off, we don't ever write the guard bytes 
to the end of the input buffers provided by the user. This results in an 
unexpected assert. The second problem is that we don't track who owns the 
buffer, so we will end up calling {{free()}} on a pointer to stack data.

My suggested fix is to add a flag to the Buffer struct in fmt_defs.h that 
indicates who owns the buffer. If, in {{_rw_bufcat()}}, we see that don't own 
the buffer, then we don't do bounds checking on it [because we have no idea 
what the contents were], and we won't attempt to free it. That seems pretty 
easy to handle. This simple fix does have one big drawback It may allow stack 
corruption because we aren't checking the buffer guard bytes after the first 
reallocation. The current code doesn't really do it, so it isn't really much of 
a loss, but it is something that I should mention.



> unexpected assertion from _rw_bufcat
> ------------------------------------
>
>                 Key: STDCXX-857
>                 URL: https://issues.apache.org/jira/browse/STDCXX-857
>             Project: C++ Standard Library
>          Issue Type: Bug
>          Components: Test Driver
>    Affects Versions: 4.2.1
>            Reporter: Travis Vitek
>            Assignee: Travis Vitek
>             Fix For: 4.2.1
>
>   Original Estimate: 2h
>  Remaining Estimate: 2h
>
> Here is a testcase.
> {noformat}
> #include <rw_printf.h>
> #include <string.h>
> #include <stdlib.h>
> int main (int argc, char* argv[])
> {
>     const char* s = 1 < argc ? argv [1] : "bug-zapper";
>     char buffer [4];
>     char *buf = buffer;
>     size_t bufsize = sizeof buffer;
>     rw_asnprintf (&buf, &bufsize, "%s", s);
>     if (buf != buffer)
>         free (buf);
>     return 0;
> }
> {noformat}

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to