Subject: Re: bin/31077
To: None <gnats-admin@netbsd.org, netbsd-bugs@netbsd.org>
From: Wim Lewis <wiml@hhhh.org>
List: netbsd-bugs
Date: 09/08/2005 08:37:02
The following reply was made to PR bin/31077; it has been noted by GNATS.
From: Wim Lewis <wiml@hhhh.org>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: bin/31077
Date: Thu, 8 Sep 2005 01:36:46 -0700
Looking at the actual committed code, I do not think rev 1.100 fixes
the bug. You moved the test which was near line 1888 in my patch
from being before the code it was protecting to after it. As a result
the new test never fires, since the preceding code has already incorrectly
handled the situation.
The bug doesn't happen every time; it relies on particular
placement of malloc blocks, or reuse of memory, or things like that.
But it's easy to check in the debugger that make will dereference
the byte after the NUL. (And it's pretty easy to see by inspection
of the code as well --- check the places Var_Parse() is called.) That
byte can easily be non-NUL; it could even be a SEGV.
FWIW, I think it's reasonable to have the test against NUL done
first, simply in the name of clarity. The person reading the code
can then rely on the usual assumption that they are dealing with
actual string text instead of sentinels in the later comparisons.
--
Wim Lewis <wiml@hhhh.org>, Seattle, WA, USA. PGP keyID 27F772C1