Re: Bug in return_append_str
Mark, Thanks. It seems quite evident. I will try to set up a scenario to catch it with valgrind though. Do you think it would be easy? I believe you deem it unnecessary, right? Thanks, Antonio > El 3 jul 2017, a las 9:09, Mark Hermeling > escribió: > > Antonio, > > That is certainly true once the modification that I proposed is applied. You > need to allocate the space of the string, plus one character for the EOL. > However, with the current code you allocate enough memory for the string and > then move the pointer one character to the right. It is a simple typo, the > brackets are placed incorrectly. > > Regards, > Mark > > -- > Sent from my phone, please excuse any typos. > > >> On Jul 3, 2017, at 00:14, Antonio Ceballos wrote: >> >> Hi Mark, >> >> Thanks for finding this potential bug and for providing a fix. However, How >> would you reply to the comment that is written right before the line you >> mentioned (I am not the author): >> >> /* This doesn't have buffer overflow vulnerabilities, because >>we always allocate for enough space before appending. */ >> >> Thanks, >> Antonio Ceballos >> >> >>> On Fri, Jun 30, 2017 at 2:20 PM, Mark Hermeling >>> wrote: >>> Hello, >>> >>> There is a buffer overrun in return_append_str in src/frontend/lexpgn.cc at >>> line >>> 2224newloc = (char *) malloc(strlen(s))+1; >>> >>> The line should read: >>> newloc = (char *) malloc(strlen(s)+1); >>> >>> We found this using static analysis using CodeSonar. I don’t have an actual >>> path that will demonstrate this bug. >>> >>> Regards, >>> Mark >>> >>> — >>> Mark Hermeling | GrammaTech | Senior Director Product Marketing >>> mobile +1 (607) 351-5719 | www.grammatech.com >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> ___ >>> Bug-gnu-chess mailing list >>> Bug-gnu-chess@gnu.org >>> https://lists.gnu.org/mailman/listinfo/bug-gnu-chess >>> >> ___ Bug-gnu-chess mailing list Bug-gnu-chess@gnu.org https://lists.gnu.org/mailman/listinfo/bug-gnu-chess
Re: Bug in return_append_str
Antonio, That is certainly true once the modification that I proposed is applied. You need to allocate the space of the string, plus one character for the EOL. However, with the current code you allocate enough memory for the string and then move the pointer one character to the right. It is a simple typo, the brackets are placed incorrectly. Regards, Mark -- Sent from my phone, please excuse any typos. > On Jul 3, 2017, at 00:14, Antonio Ceballos wrote: > > Hi Mark, > > Thanks for finding this potential bug and for providing a fix. However, How > would you reply to the comment that is written right before the line you > mentioned (I am not the author): > > /* This doesn't have buffer overflow vulnerabilities, because >we always allocate for enough space before appending. */ > > Thanks, > Antonio Ceballos > > >> On Fri, Jun 30, 2017 at 2:20 PM, Mark Hermeling >> wrote: >> Hello, >> >> There is a buffer overrun in return_append_str in src/frontend/lexpgn.cc at >> line >> 2224 newloc = (char *) malloc(strlen(s))+1; >> >> The line should read: >> newloc = (char *) malloc(strlen(s)+1); >> >> We found this using static analysis using CodeSonar. I don’t have an actual >> path that will demonstrate this bug. >> >> Regards, >> Mark >> >> — >> Mark Hermeling | GrammaTech | Senior Director Product Marketing >> mobile +1 (607) 351-5719 | www.grammatech.com >> >> >> >> >> >> >> >> >> >> >> >> >> >> ___ >> Bug-gnu-chess mailing list >> Bug-gnu-chess@gnu.org >> https://lists.gnu.org/mailman/listinfo/bug-gnu-chess >> > ___ Bug-gnu-chess mailing list Bug-gnu-chess@gnu.org https://lists.gnu.org/mailman/listinfo/bug-gnu-chess
Re: Bug in return_append_str
Hi Mark, Thanks for finding this potential bug and for providing a fix. However, How would you reply to the comment that is written right before the line you mentioned (I am not the author): /* This doesn't have buffer overflow vulnerabilities, because we always allocate for enough space before appending. */ Thanks, Antonio Ceballos On Fri, Jun 30, 2017 at 2:20 PM, Mark Hermeling wrote: > Hello, > > There is a buffer overrun in return_append_str in src/frontend/lexpgn.cc > at line > 2224 newloc = (char *) malloc(strlen(s))+1; > > The line should read: > newloc = (char *) malloc(strlen(s)+1); > > We found this using static analysis using CodeSonar. I don’t have an > actual path that will demonstrate this bug. > > Regards, > Mark > > — > Mark Hermeling | *GrammaTech* | Senior Director Product Marketing > mobile +1 (607) 351-5719 <(607)%20351-5719> | www.grammatech.com > > > > > > > > > > > > > > ___ > Bug-gnu-chess mailing list > Bug-gnu-chess@gnu.org > https://lists.gnu.org/mailman/listinfo/bug-gnu-chess > > ___ Bug-gnu-chess mailing list Bug-gnu-chess@gnu.org https://lists.gnu.org/mailman/listinfo/bug-gnu-chess
