This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [PATH] [BZ 15674] Fix reading past the array boundary in __memcmp_ssse3
- From: "H.J. Lu" <hjl dot tools at gmail dot com>
- To: Roland McGrath <roland at hack dot frob dot com>
- Cc: Liubov Dmitrieva <liubov dot dmitrieva at gmail dot com>, Andreas Schwab <schwab at suse dot de>, Richard Henderson <rth at twiddle dot net>, "Carlos O'Donell" <carlos at redhat dot com>, GNU C Library <libc-alpha at sourceware dot org>
- Date: Wed, 26 Jun 2013 14:18:26 -0700
- Subject: Re: [PATH] [BZ 15674] Fix reading past the array boundary in __memcmp_ssse3
- References: <CAHjhQ92DBAVCozvunaCNhRgswUHcQL42Yc24pieVVU=GGBFrww at mail dot gmail dot com> <51C9BC0F dot 6030201 at twiddle dot net> <CAHjhQ93TsPdmRNvS4YbwELi3OPCFmE4AU_v97Br5xmQY86L=gA at mail dot gmail dot com> <mvmsj05kq0a dot fsf at hawking dot suse dot de> <CAHjhQ90-YhzAwOUcrkj_d_Q+KWPie4PTbmPLZ5DRyCQH5CH7fg at mail dot gmail dot com> <CAMe9rOr-jPTP4z6=_3zzjiTvSUtOrB68KHVPp9tXpNkU_6SAaQ at mail dot gmail dot com> <CAMe9rOriLnQFGU9QUDosRcQwOZ+2Od77XUsFL5T-XH7qgqLb9w at mail dot gmail dot com> <CAMe9rOp++9bW8kN=shbFCdWp9x_BYT+Wb+BZLP9Hs=bAyC_5bA at mail dot gmail dot com> <20130626200430 dot 09DF52C080 at topped-with-meat dot com> <CAMe9rOqVesVr+hcDpTqrOrbi-WQebDR=WVcGC2YJMX1jUR40Lg at mail dot gmail dot com> <20130626210303 dot CA2E22C080 at topped-with-meat dot com>
On Wed, Jun 26, 2013 at 2:03 PM, Roland McGrath <roland@hack.frob.com> wrote:
> I don't know why the BUF variable is there rather than just using BUF2
> directly as you do BUF1.
BUF2 also works.
> It seems a little nasty that it repeats the magic number from test-string.h
> and relies on it matching for the test to be correct. If tests are going
> to encode the particular values of the BUF[12] fill bytes, then test-string.h
> should define macros for the values so we don't repeat the constants.
>
> OTOH, the new test could just memcpy instead of memset to more
> straightforwardly ensure the buffers match where they should and don't
> where they shouldn't:
>
> memcpy (buf2, buf1, page_size);
> ((char *) buf2)[page_size - 1] ^= 0x11;
>
It should work.
--
H.J.
--
diff --git a/string/test-memcmp.c b/string/test-memcmp.c
index b30e34d..0420cd0 100644
--- a/string/test-memcmp.c
+++ b/string/test-memcmp.c
@@ -448,6 +448,29 @@ check1 (void)
}
}
+/* This test checks that memcmp doesn't overrun buffers. */
+static void
+check2 (void)
+{
+ size_t max_length = page_size / sizeof (CHAR);
+
+ /* Initialize buf2 to the same values as buf1. The bug requires the
+ last compared byte to be different. */
+ memcpy (buf2, buf1, page_size);
+ ((char *) buf2)[page_size - 1] ^= 0x11;
+
+ for (size_t length = 1; length < max_length; length++)
+ {
+ CHAR *s1 = (CHAR *) buf1 + max_length - length;
+ CHAR *s2 = (CHAR *) buf2 + max_length - length;
+
+ const int exp_result = SIMPLE_MEMCMP (s1, s2, length);
+
+ FOR_EACH_IMPL (impl, 0)
+ check_result (impl, s1, s2, length, exp_result);
+ }
+}
+
int
test_main (void)
{
@@ -456,6 +479,7 @@ test_main (void)
test_init ();
check1 ();
+ check2 ();
printf ("%23s", "");
FOR_EACH_IMPL (impl, 0)