*Synopsis*: *libpp* Array overrun in libpp
CR 6764665 changed on Dec 9 2008 by <User 1-5Q-5151>
=== Field ============ === New Value ============= === Old Value =============
Hook 6 <email address omitted> <email address omitted>
Introduced in Build snv_72
Introduced in Release solaris_nevada
Status 3-Accepted 1-Dispatched
Synopsis *libpp* Array overrun in .. Array overrun in libpp
====================== =========================== ===========================
*Change Request ID*: 6764665
*Synopsis*: *libpp* Array overrun in libpp
Product: solaris
Category: shell
Subcategory: korn93
Type: Defect
Subtype:
Status: 3-Accepted
Substatus:
Priority: 3-Medium
Introduced In Release: solaris_nevada
Introduced In Build: snv_72
Responsible Engineer:
Keywords: parfait
=== *Description* ============================================================
/usr/src/lib/libpp/common/ppfsm.c
0861: }
0862: if (x >= 0)
0863: {
0864: *s = x;
0865: for (n = CHAR_MIN; n <= CHAR_MAX; n++)
0866: if (ppisidig(n))
0867: fsm[HITN][n] = HITN;
0868: n = HITN;
0869: }
0870: if (fsm[i][c] < n)
0871: fsm[i][c] = n;
ppisidig() expands to ((pptype)[c]&(C_ID|C_DIG)), and pptype further expands to
(ppctype-(CHAR_MIN)+1) when char is signed (as it is by default on x86).
ppctype in turn is a char array of 255 elements. As a result, the above loop
runs from ppctype[1] through ppctype[256].
The bug looks to be in the definition of pptype - when char is unsigned, the
code should work correctly.
This bug was found using the Parfait source code analysis tool.
See http://research.sun.com/projects/parfait
*** (#1 of 1): 2008-10-28 18:48:54 GMT+00:00 <User 1-5Q-544>
=== *Public Comments* ========================================================
=== *Workaround* =============================================================
=== *Additional Details* =====================================================
Targeted Release:
Commit To Fix In Build:
Fixed In Build:
Integrated In Build:
Verified In Build:
See Also:
Duplicate of:
Hooks:
Hook1:
Hook2:
Hook3:
Hook4:
Hook5:
Hook6: <email address omitted>
Program Management:
Root Cause:
Fix Affects Documentation: No
Fix Affects Localization: No
=== *History* ================================================================
Date Submitted: 2008-10-28 18:48:54 GMT+00:00
Submitted By: <User 1-5Q-544>
Status Changed Date Updated Updated By
3-Accepted 2008-12-09 00:01:13 GMT+00:00 <User 1-5Q-5151>
=== *Service Request* ========================================================
Impact: Significant
Functionality: Secondary
Severity: 3
Product Name: solaris
Product Release: solaris_nevada
Product Build:
Operating System: solaris_nevada
Hardware: generic
Submitted Date: 2008-10-28 18:48:54 GMT+00:00
=== *Multiple Release (MR) Cluster* - 0 ======================================
