You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@subversion.apache.org by Daniel <da...@fastmail.fm> on 2007/12/10 18:10:38 UTC
[PATCH] Out of bounds array access in hooks.c
Hi All,
hooks.c declares (line 551) an array of four elements and accesses five
of its elements:
{
const char *args[4];
char *capabilities_string = svn_cstring_join(capabilities, ":", pool);
/* Get rid of that annoying final colon. */
if (capabilities_string[0])
capabilities_string[strlen(capabilities_string) - 1] = '\0';
args[0] = hook;
args[1] = svn_path_local_style(svn_repos_path(repos, pool), pool);
args[2] = user ? user : "";
args[3] = capabilities_string;
args[4] = NULL;
SVN_ERR(run_hook_cmd(SVN_REPOS__HOOK_START_COMMIT, hook, args, NULL,
pool));
}
This fixes the problem:
[[[
Follow-up to r27614: Fix segfault.
* subversion/libsvn_repos/hooks.c
(svn_repos__hooks_start_commit): Allocate one more array element.
]]]
Index: subversion/libsvn_repos/hooks.c
===================================================================
--- subversion/libsvn_repos/hooks.c (revision 28371)
+++ subversion/libsvn_repos/hooks.c (working copy)
@@ -548,7 +548,7 @@
}
else if (hook)
{
- const char *args[4];
+ const char *args[5];
char *capabilities_string = svn_cstring_join(capabilities, ":", pool);
/* Get rid of that annoying final colon. */
Daniel
--
http://www.fastmail.fm/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: [PATCH] Out of bounds array access in hooks.c
Posted by Karl Fogel <kf...@red-bean.com>.
Philip Martin <ph...@codematters.co.uk> writes:
> Karl Fogel <kf...@red-bean.com> writes:
>> Thanks, Daniel and David. That was my bad, I think. It passed all my
>> testing too; I have no idea what the compiler was doing with array
>> allocation such that there was always room, but I wish it hadn't :-).
>
> You could use this technique:
>
> int i = 0;
> const char *args[3];
>
> args[i++] = ...;
> args[i++] = ...;
> args[i++] = ...;
>
> assert(i == sizeof(args)/sizeof(args[0]));
Neat trick! I may use it next time.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: [PATCH] Out of bounds array access in hooks.c
Posted by Philip Martin <ph...@codematters.co.uk>.
Karl Fogel <kf...@red-bean.com> writes:
> Thanks, Daniel and David. That was my bad, I think. It passed all my
> testing too; I have no idea what the compiler was doing with array
> allocation such that there was always room, but I wish it hadn't :-).
You could use this technique:
int i = 0;
const char *args[3];
args[i++] = ...;
args[i++] = ...;
args[i++] = ...;
assert(i == sizeof(args)/sizeof(args[0]));
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: [PATCH] Out of bounds array access in hooks.c
Posted by Karl Fogel <kf...@red-bean.com>.
"David Glasser" <gl...@davidglasser.net> writes:
> On Dec 10, 2007 10:10 AM, Daniel <da...@fastmail.fm> wrote:
>> Hi All,
>>
>> hooks.c declares (line 551) an array of four elements and accesses five
>> of its elements:
>
> Good catch! (Fortunately this bug is new on trunk.) r28375.
Thanks, Daniel and David. That was my bad, I think. It passed all my
testing too; I have no idea what the compiler was doing with array
allocation such that there was always room, but I wish it hadn't :-).
-Karl
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: [PATCH] Out of bounds array access in hooks.c
Posted by David Glasser <gl...@davidglasser.net>.
On Dec 10, 2007 10:10 AM, Daniel <da...@fastmail.fm> wrote:
> Hi All,
>
> hooks.c declares (line 551) an array of four elements and accesses five
> of its elements:
Good catch! (Fortunately this bug is new on trunk.) r28375.
--dave
--
David Glasser | glasser@davidglasser.net | http://www.davidglasser.net/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org