New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
found a integer overflow leads to stack_overflow #188
Comments
|
Indeed. I wonder if |
|
I think there are more problems. The assignment of '.' might be outside the buffer. |
|
yes, i agree |
|
Please review last commit on master: 8a90c92 |
|
BTW: it is rather strange that the compiler did not warn about this. |
|
|
|
compiler did not warn because it don't know the value of |
|
Sorry, but your suggestion is not good because it depends on the integer size. The following was written before your last EDIT, FYI. So I will close here. Why do you think an overflow still happens? Does your test still fail? The invariant is that k is what is left in the buffer. The compiler could have warned that the test <= 0 does not make sense. There are many other places where the compiler warns even if the code actually makes sense. It's getting late, so I'll continue tomorrow if you have some suggestions. |
|
Thanks for reporting. |
in parser.c
k seems like the size of the rest of buffer on stack(var 'buf' which type is char[]).
n is memcpy size as 3rd para.
whilecondition k>0 to keep buffer is not full.if enter in
if(k<n)branchn=k,var n is assigned the value of kthen
k -=n,var k is assigned the value 0then
--k, var k is assigned the value 0xffffffffffffffff while var k's type is size_t.so the while condition
k > 0not make sense.next memcpy will lead to stack overflow
poc:
The text was updated successfully, but these errors were encountered: