[PATCH] Out of bounds array access in hooks.c

[Daniel <da...@fastmail.fm>]

Hi All,

hooks.c declares (line 551) an array of four elements and accesses five
of its elements:

    {
      const char *args[4];
      char *capabilities_string = svn_cstring_join(capabilities, ":", pool);

      /* Get rid of that annoying final colon. */
      if (capabilities_string[0])
        capabilities_string[strlen(capabilities_string) - 1] = '\0';

      args[0] = hook;
      args[1] = svn_path_local_style(svn_repos_path(repos, pool), pool);
      args[2] = user ? user : "";
      args[3] = capabilities_string;
      args[4] = NULL;

      SVN_ERR(run_hook_cmd(SVN_REPOS__HOOK_START_COMMIT, hook, args, NULL,
                           pool));
    }

This fixes the problem:

[[[
Follow-up to r27614: Fix segfault.

* subversion/libsvn_repos/hooks.c
  (svn_repos__hooks_start_commit): Allocate one more array element.
]]]

Index: subversion/libsvn_repos/hooks.c
===================================================================
--- subversion/libsvn_repos/hooks.c	(revision 28371)
+++ subversion/libsvn_repos/hooks.c	(working copy)
@@ -548,7 +548,7 @@
     }
   else if (hook)
     {
-      const char *args[4];
+      const char *args[5];
       char *capabilities_string = svn_cstring_join(capabilities, ":", pool);
 
       /* Get rid of that annoying final colon. */

Daniel
-- 
http://www.fastmail.fm/

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: [PATCH] Out of bounds array access in hooks.c

[Karl Fogel <kf...@red-bean.com>]

Philip Martin <ph...@codematters.co.uk> writes:
> Karl Fogel <kf...@red-bean.com> writes:
>> Thanks, Daniel and David.  That was my bad, I think.  It passed all my
>> testing too; I have no idea what the compiler was doing with array
>> allocation such that there was always room, but I wish it hadn't :-).
>
> You could use this technique:
>
>    int i = 0;
>    const char *args[3];
>
>    args[i++] = ...;
>    args[i++] = ...;
>    args[i++] = ...;
>
>    assert(i == sizeof(args)/sizeof(args[0]));

Neat trick!  I may use it next time.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: [PATCH] Out of bounds array access in hooks.c

[Philip Martin <ph...@codematters.co.uk>]

Karl Fogel <kf...@red-bean.com> writes:

> Thanks, Daniel and David.  That was my bad, I think.  It passed all my
> testing too; I have no idea what the compiler was doing with array
> allocation such that there was always room, but I wish it hadn't :-).

You could use this technique:

   int i = 0;
   const char *args[3];

   args[i++] = ...;
   args[i++] = ...;
   args[i++] = ...;

   assert(i == sizeof(args)/sizeof(args[0]));

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: [PATCH] Out of bounds array access in hooks.c

[Karl Fogel <kf...@red-bean.com>]

"David Glasser" <gl...@davidglasser.net> writes:
> On Dec 10, 2007 10:10 AM, Daniel <da...@fastmail.fm> wrote:
>> Hi All,
>>
>> hooks.c declares (line 551) an array of four elements and accesses five
>> of its elements:
>
> Good catch!  (Fortunately this bug is new on trunk.)  r28375.

Thanks, Daniel and David.  That was my bad, I think.  It passed all my
testing too; I have no idea what the compiler was doing with array
allocation such that there was always room, but I wish it hadn't :-).

-Karl

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: [PATCH] Out of bounds array access in hooks.c

[David Glasser <gl...@davidglasser.net>]

On Dec 10, 2007 10:10 AM, Daniel <da...@fastmail.fm> wrote:
> Hi All,
>
> hooks.c declares (line 551) an array of four elements and accesses five
> of its elements:

Good catch!  (Fortunately this bug is new on trunk.)  r28375.

--dave


-- 
David Glasser | glasser@davidglasser.net | http://www.davidglasser.net/

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org