Karim BELABAS on Wed, 20 Jan 1999 13:07:31 +0100 (MET)


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: buffer overflow


[Igor:]
> this is my .gprc file:
> ------------------------------------------------------------------------
> read "/home/igor/.libgp"
> ------------------------------------------------------------------------
> 
> this is my .libgp file:
> ------------------------------------------------------------------------
> res=-23708160*x^9 - 225566208*x^8 - 1131314688*x^7 - 3968372736*x^6 -\ 
> 7276863744*x^5 - 1112932224*x^4 + 22694392512*x^3 + +49279399488*x^2 +\ 
> 50845741200*x + 22483386864;
> ------------------------------------------------------------------------
> 
> this is what I do:
> % gp -q
> ? \r
> ? \r
>   ***   buffer overflow in get_sep.
> 
> I traced it down to the fact that GET_SEP_SIZE is defined to be 128,
> so the error occurs when a line in the input file is longer than 128.

Off by 1 error: get_set was reading another string than the one it was sent
(it skipped the ending '\0'). get_sep2 was doing the same thing. [I'm also
cleaning up the code a little bit.]

GET_SEP_SIZE is only used as maximum length for tokens input interactively
(file names mostly...). It has nothing to do with the input files themselves.

  Karim.


*** src/gp/gp.c.orig	Mon Jan 18 13:25:40 1999
--- src/gp/gp.c	Wed Jan 20 13:00:20 1999
***************
*** 143,151 ****
  
    for(;;)
    {
!     char c = *s++ = *t++;
!     if (c == '"' && (outer || s[-2] != '\\')) outer = !outer;
!     if (!*t || (outer && separe(*t))) { *s=0; return buf; }
      if (s == lim) err(talker,"buffer overflow in get_sep");
    }
  }
--- 143,158 ----
  
    for(;;)
    {
!     switch(*s++ = *t++)
!     {
!       case '"':
!         if (outer || s[-2] != '\\') outer = !outer;
!         break;
!       case '\0':
!         return buf;
!       default:
!         if (outer && separe(*t)) { *s=0; return buf; }
!     }
      if (s == lim) err(talker,"buffer overflow in get_sep");
    }
  }
***************
*** 159,167 ****
  
    for(;;)
    {
!     if (*s++ == '"' && (outer || s[-2] != '\\')) outer = !outer;
!     if (!*s) return 0;
!     if (outer && separe(*s)) { *s=1; return 0; }
    }
  }
  
--- 166,181 ----
  
    for(;;)
    {
!     switch (*s++)
!     {
!       case '"':
!         if (outer || s[-2] != '\\') outer = !outer;
!         break;
!       case '\0':
!         return 0;
!       default:
!         if (outer && separe(*s)) { *s=0; return 1; }
!     }
    }
  }
  
--
Karim Belabas                    email: Karim.Belabas@math.u-psud.fr
Dep. de Mathematiques, Bat. 425
Universite Paris-Sud             Tel: (00 33) 1 69 15 57 48
F-91405 Orsay (France)           Fax: (00 33) 1 69 15 60 19
--
PARI/GP Home Page: http://pari.home.ml.org