*Synopsis*: *libpp* Array overrun in libpp CR 6764665 changed on Nov 23 2009 by <User 1-2S67RN>
=== Field ============ === New Value ============= === Old Value ============= Integrated in Build snv_128 Status 10-Fix Delivered 8-Fix Available ====================== =========================== =========================== *Change Request ID*: 6764665 *Synopsis*: *libpp* Array overrun in libpp Product: solaris Category: shell Subcategory: korn93 Type: Defect Subtype: Status: 10-Fix Delivered Substatus: Priority: 3-Medium Introduced In Release: solaris_nevada Introduced In Build: snv_72 Responsible Engineer: <User 1-7MTUEB> Keywords: oss-request, oss-sponsor, parfait === *Description* ============================================================ /usr/src/lib/libpp/common/ppfsm.c 0861: } 0862: if (x >= 0) 0863: { 0864: *s = x; 0865: for (n = CHAR_MIN; n <= CHAR_MAX; n++) 0866: if (ppisidig(n)) 0867: fsm[HITN][n] = HITN; 0868: n = HITN; 0869: } 0870: if (fsm[i][c] < n) 0871: fsm[i][c] = n; ppisidig() expands to ((pptype)[c]&(C_ID|C_DIG)), and pptype further expands to (ppctype-(CHAR_MIN)+1) when char is signed (as it is by default on x86). ppctype in turn is a char array of 255 elements. As a result, the above loop runs from ppctype[1] through ppctype[256]. The bug looks to be in the definition of pptype - when char is unsigned, the code should work correctly. This bug was found using the Parfait source code analysis tool. See http://research.sun.com/projects/parfait *** (#1 of 1): 2008-10-28 18:48:54 GMT+00:00 <User 1-5Q-544> === *Public Comments* ======================================================== === *Workaround* ============================================================= === *Additional Details* ===================================================== Targeted Release: solaris_nevada Commit To Fix In Build: snv_128 Fixed In Build: snv_128 Integrated In Build: snv_128 Verified In Build: See Also: 6437624, 6793763 Duplicate of: Hooks: Hook1: Hook2: Hook3: Hook4: Hook5: <email address omitted> Hook6: <email address omitted> Program Management: Root Cause: Insufficient Testing Fix Affects Documentation: No Fix Affects Localization: No === *History* ================================================================ Date Submitted: 2008-10-28 18:48:54 GMT+00:00 Submitted By: <User 1-5Q-544> Status Changed Date Updated Updated By 3-Accepted 2008-12-09 00:01:13 GMT+00:00 <User 1-5Q-5151> 6-Fix Understood 2009-06-16 15:16:40 GMT+00:00 <User 1-1SURPB> 7-Fix in Progress 2009-10-23 17:29:17 GMT+00:00 <User 1-7MTUEB> 8-Fix Available 2009-10-28 18:23:30 GMT+00:00 <User 1-5HNZ8F> 10-Fix Delivered 2009-11-23 05:16:48 GMT+00:00 <User 1-2S67RN> === *Service Request* ======================================================== Impact: Significant Functionality: Secondary Severity: 3 Product Name: solaris Product Release: solaris_nevada Product Build: Operating System: solaris_nevada Hardware: generic Submitted Date: 2008-10-28 18:48:54 GMT+00:00 === *Multiple Release (MR) Cluster* - 0 ======================================