[bug #64124] Use after free in expand_variable_buf.

2023-04-30 Thread Paul D. Smith
Update of bug #64124 (project make):

  Status:None => Fixed  
 Open/Closed:Open => Closed 
   Fixed Release:None => SCM
   Triage Status:None => Small Effort   

___

Follow-up Comment #3:

Pushed thanks Dmitry.


___

Reply to this item at:

  

___
Message sent via Savannah
https://savannah.gnu.org/




[bug #64124] Use after free in expand_variable_buf.

2023-04-29 Thread Dmitry Goncharov
Follow-up Comment #1, bug #64124 (project make):

There is use after free in expand_variable_buf.

When the expanded value of the variable in buf occupies more space than
avaiable in variable_buffer, function variable_buffer_output reallocates
variable_buffer.
This reallocation leaves buf in expand_variable_buf to point to an already
freed region of memory.
Can be observed by with a sufficiently large value of MAKEFLAGS.


$ cat makefile 
$(info hello=$(hello))
all:
$ v=12345
$ echo ${#v}
5
$ MAKEFLAGS=" -- hello=$v" make
hello=12345
make: Nothing to be done for 'all'.
$ v=$( for k in {1..90}; do echo -n $k; done )
$ echo ${#v}
171
$ MAKEFLAGS=" -- hello=$v" make
hello=123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990
  
   
make: Nothing to be done for 'all'.
$ v=$( for k in {1..110}; do echo -n $k; done )
$ echo ${#v}
222
$ MAKEFLAGS=" -- hello=$v" make
: invalid option -- '�'
: invalid option -- '�'
: invalid option -- '�'
: invalid option -- '�'
: invalid option -- '^'
: invalid option -- 'U'
Usage: make [options] [target] ...
Options:
  -b, -m  Ignored for compatibility.
  -B, --always-make   Unconditionally make all targets.
...




___

Reply to this item at:

  

___
Message sent via Savannah
https://savannah.gnu.org/




[bug #64124] Use after free in expand_variable_buf.

2023-04-29 Thread Dmitry Goncharov
URL:
  

 Summary: Use after free in expand_variable_buf.
   Group: make
   Submitter: dgoncharov
   Submitted: Sat 29 Apr 2023 01:27:06 PM UTC
Severity: 3 - Normal
  Item Group: Bug
  Status: None
 Privacy: Public
 Assigned to: None
 Open/Closed: Open
 Discussion Lock: Any
   Component Version: SCM
Operating System: Any
   Fixed Release: None
   Triage Status: None


___

Follow-up Comments:


---
Date: Sat 29 Apr 2023 01:27:06 PM UTC By: Dmitry Goncharov 
.







___

Reply to this item at:

  

___
Message sent via Savannah
https://savannah.gnu.org/