Subject: Re: bin/31077
To: None <gnats-admin@netbsd.org, netbsd-bugs@netbsd.org>
From: Wim Lewis <wiml@hhhh.org>
List: netbsd-bugs
Date: 09/08/2005 08:37:02
The following reply was made to PR bin/31077; it has been noted by GNATS.

From: Wim Lewis <wiml@hhhh.org>
To: gnats-bugs@netbsd.org
Cc: 
Subject: Re: bin/31077
Date: Thu, 8 Sep 2005 01:36:46 -0700

 Looking at the actual committed code, I do not think rev 1.100 fixes
 the bug. You moved the test which was near line 1888 in my patch
 from being before the code it was protecting to after it. As a result
 the new test never fires, since the preceding code has already incorrectly
 handled the situation.
 
 The bug doesn't happen every time; it relies on particular
 placement of malloc blocks, or reuse of memory, or things like that.
 But it's easy to check in the debugger that make will dereference
 the byte after the NUL. (And it's pretty easy to see by inspection
 of the code as well --- check the places Var_Parse() is called.) That
 byte can easily be non-NUL; it could even be a SEGV.
 
 FWIW, I think it's reasonable to have the test against NUL done
 first, simply in the name of clarity. The person reading the code
 can then rely on the usual assumption that they are dealing with
 actual string text instead of sentinels in the later comparisons.
 
 -- 
    Wim Lewis <wiml@hhhh.org>, Seattle, WA, USA. PGP keyID 27F772C1