In get_string_constant(), the code tried to reuse the storage for the string
but only if the expansion of the string was not bigger than its unexpanded form.
But this string can be shared with other expressions and reusing the buffer will
result in later corruption
A minimal exemple would be something like:
const char a[] = BACKSLASH;
const char b[] = BACKSLASH;
The expansion for 'a' will correctly produce the two-char string consisting
of a backslash char followed by a null char.
But then the expansion of 'b' will expand this once more,
producing the expansion of "\0": the two-char string: { '\0', '\0' }.
The fix is to not reuse the storage for the string if any king of expansion
have been done.
Reported-by: Rasmus Villemoes <linux@xxxxxxxxxxxxxxxxxx>
Signed-off-by: Luc Van Oostenryck <luc.vanoostenryck@xxxxxxxxx>
---
char.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/char.c b/char.c
index 08ca2230..2e21bb77 100644
--- a/char.c
+++ b/char.c
@@ -123,11 +123,15 @@ struct token *get_string_constant(struct token *token, struct expression *expr)
len = MAX_STRING;
}
- if (len >= string->length) /* can't cannibalize */
+ /* The input string can be shared with other expression and so
+ * its storage can't be reused if any kind of expansion have been done on it.
+ */
+ if ((len != string->length) || memcmp(buffer, string->data, len)) {
string = __alloc_string(len+1);
- string->length = len+1;
- memcpy(string->data, buffer, len);
- string->data[len] = '\0';
+ string->length = len+1;
+ memcpy(string->data, buffer, len);
+ string->data[len] = '\0';
+ }
expr->string = string;
expr->wide = is_wide;
return token;
--
2.2.0
--
To unsubscribe from this list: send the line "unsubscribe linux-sparse" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
