off by one will be my epitaph
the last one (char mon[12] => mon[13]) was caught in may
the rest are fixed for the next release
thanks
-- Glenn Fowler -- AT&T Research, Florham Park NJ --
On Sun, 7 Dec 2008 18:02:22 -0700 (MST) bugmail-sender at sun.com wrote:
> *Synopsis*: Array overruns in libast
> CR 6765756 changed on Dec 8 2008 by <User 1-7MTUEB>
> === Field ============ === New Value ============= === Old Value =============
> Hook 6 <email address omitted>
> SubCategory korn93 korn
> ====================== =========================== ===========================
>
> *Change Request ID*: 6765756
> *Synopsis*: Array overruns in libast
> Product: solaris
> Category: shell
> Subcategory: korn93
> Type: Defect
> Subtype:
> Status: 1-Dispatched
> Substatus:
> Priority: 3-Medium
> Introduced In Release:
> Introduced In Build:
> Responsible Engineer:
> Keywords: parfait
> === *Description* ============================================================
> usr/src/lib/libast/common/sfio/sfvscanf.c
> 0153: for(c = 0; c <= SF_MAXCHAR; ++c)
> 0154: ac->ok[c] = !ac->yes;
> 0155:
> 0156: if(*form == ']' || *form == '-') /* special first char */
> 0157: { ac->ok[*form] = ac->yes;
> 0158: form += 1;
> 0159: }
> Array ac->ok has size of SF_MAXCHAR (255), and last loop iteration accesses
> ac->ok[SF_MAXCHAR].
> usr/src/lib/libast/common/comp/setlocale.c
> 0800: for (i = 1; i < n; i++)
> 0801: single(i, NiL);
> 0802: return -1;
> 0803: }
> 0804: }
> 0805: else if (!categories[n].prev)
> 0806: categories[n].prev = p;
> 0807: }
> 0808: return n;
> 0809: }
> In this case, the loop bounds are correct (<AST_LC_COUNT), but n is used after
> incrementing and not tested, effectively looping from 1 to 14 inclusive.
> usr/src/lib/libast/common/path/pathkey.c
> 0159: break;
> 0160: usr[c++] = k;
> 0161: while (*k && *k != ':' && *k != ' ')
> 0162: k++;
> 0163: }
> 0164: usr[c] = 0;
> 0165: ver[0] = (char*)lang;
> 0166: ver[1] = k = (s = strrchr(path, '/')) ? s + 1 : path;
> If the PROBE_ATTRIBUTES or VERSION_ENVIRONMENT environment variables contain
> 16 or more colon-separated items, c will be 16, leading to an overrun on line
> 164.
> usr/src/lib/libast/common/tm/tmxdate.c
> 0350: if (k)
> 0351: flags |= MONTH;
> 0352: else
> 0353: for (i = 1; i <= 12; i++)
> 0354: mon[i] = 1;
> The for loop runs from 1 to 12 instead of 0 to 11 on a char[12] array.
> This bug was found using the Parfait source code analysis tool.
> See http://research.sun.com/projects/parfait
> *** (#1 of 1): 2008-10-30 18:56:58 GMT+00:00 <User 1-5Q-544>
> === *Public Comments* ========================================================
> === *Workaround* =============================================================
> === *Additional Details* =====================================================
> Targeted Release:
> Commit To Fix In Build:
> Fixed In Build:
> Integrated In Build:
> Verified In Build:
> See Also:
> Duplicate of:
> Hooks:
> Hook1:
> Hook2:
> Hook3:
> Hook4:
> Hook5:
> Hook6: <email address omitted>
> Program Management:
> Root Cause:
> Fix Affects Documentation: No
> Fix Affects Localization: No
> === *History* ================================================================
> Date Submitted: 2008-10-30 18:56:58 GMT+00:00
> Submitted By: <User 1-5Q-544>
> Status Changed Date Updated Updated By
> === *Service Request* ========================================================
> Impact: Significant
> Functionality: Secondary
> Severity: 3
> Product Name: solaris
> Product Release: solaris_nevada
> Product Build:
> Operating System: solaris_nevada
> Hardware: generic
> Submitted Date: 2008-10-30 18:56:58 GMT+00:00
> === *Multiple Release (MR) Cluster* - 0 ======================================
