From ed72201a795ac1c8d6c0288b6bb710f2bd0ebd9c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= Date: Sun, 18 Jan 2015 21:52:48 +0100 Subject: [PATCH] Fix buffer overrun with unbuffered custom binary input ports. Fixes . Before that, in 'cbip_fill_input', BUFFERED would be set to 0 when reading from 'scm_getc' et al, because 'shortbuf' was being used. Thus, we could eventually execute this line: /* Copy the data back to the internal buffer. */ memcpy ((char *) c_port->read_pos, SCM_BYTEVECTOR_CONTENTS (bv), c_octets); But 'read_pos' would quickly point to the fields beyond 'shortbuf', thereby leading to a corruption of the 'scm_t_port' itself. * libguile/r6rs-ports.c (cbip_setvbuf): When READ_SIZE is 0, keep using BV as the 'read_buf'. (cbip_fill_input): Adjust assertion to accept 'read_buf_size = 1'. * test-suite/tests/r6rs-ports.test ("7.2.7 Input Ports")["custom binary input port unbuffered & 'get-string-all'", "custom binary input port unbuffered UTF-8 & 'get-string-all'"]: New tests. --- libguile/r6rs-ports.c | 17 +++++++++------- test-suite/tests/r6rs-ports.test | 33 +++++++++++++++++++++++++++++++- 2 files changed, 42 insertions(+), 8 deletions(-) diff --git a/libguile/r6rs-ports.c b/libguile/r6rs-ports.c index 83f899670..93171f06d 100644 --- a/libguile/r6rs-ports.c +++ b/libguile/r6rs-ports.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2009, 2010, 2011, 2013, 2014 Free Software Foundation, Inc. +/* Copyright (C) 2009, 2010, 2011, 2013-2015 Free Software Foundation, Inc. * * This library is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public License @@ -307,9 +307,10 @@ cbip_setvbuf (SCM port, long read_size, long write_size) switch (read_size) { case 0: - /* Unbuffered: keep PORT's bytevector as is (it will be used in - future 'scm_c_read' calls), but point to the one-byte buffer. */ - pt->read_buf = &pt->shortbuf; + /* Unbuffered: keep using PORT's bytevector as the underlying + buffer (it will also be used by future 'scm_c_read' calls.) */ + assert (SCM_BYTEVECTOR_LENGTH (bv) >= 1); + pt->read_buf = (unsigned char *) SCM_BYTEVECTOR_CONTENTS (bv); pt->read_buf_size = 1; break; @@ -404,9 +405,11 @@ cbip_fill_input (SCM port) if (buffered) { - /* Make sure the buffer isn't corrupt. BV can be passed directly - to READ_PROC. */ - assert (c_port->read_buf_size == SCM_BYTEVECTOR_LENGTH (bv)); + /* Make sure the buffer isn't corrupt. Its size can be 1 when + someone called 'setvbuf' with _IONBF. BV can be passed + directly to READ_PROC. */ + assert (c_port->read_buf_size == SCM_BYTEVECTOR_LENGTH (bv) + || c_port->read_buf_size == 1); c_port->read_pos = (unsigned char *) SCM_BYTEVECTOR_CONTENTS (bv); } else diff --git a/test-suite/tests/r6rs-ports.test b/test-suite/tests/r6rs-ports.test index dba803601..e5f1266a0 100644 --- a/test-suite/tests/r6rs-ports.test +++ b/test-suite/tests/r6rs-ports.test @@ -1,6 +1,6 @@ ;;;; r6rs-ports.test --- R6RS I/O port tests. -*- coding: utf-8; -*- ;;;; -;;;; Copyright (C) 2009, 2010, 2011, 2012, 2014 Free Software Foundation, Inc. +;;;; Copyright (C) 2009-2012, 2014-2015 Free Software Foundation, Inc. ;;;; Ludovic Courtès ;;;; ;;;; This library is free software; you can redistribute it and/or @@ -557,6 +557,37 @@ not `set-port-position!'" obj)) ret))))) + (pass-if-equal "custom binary input port unbuffered & 'get-string-all'" + (make-string 1000 #\a) + ;; In Guile 2.0.11 this test would lead to a buffer overrun followed + ;; by an assertion failure. See . + (let* ((input (with-fluids ((%default-port-encoding #f)) + (open-input-string (make-string 1000 #\a)))) + (read! (lambda (bv index count) + (let ((n (get-bytevector-n! input bv index + count))) + (if (eof-object? n) 0 n)))) + (port (make-custom-binary-input-port "foo" read! + #f #f #f))) + (setvbuf port _IONBF) + (get-string-all port))) + + (pass-if-equal "custom binary input port unbuffered UTF-8 & 'get-string-all'" + (make-string 1000 #\λ) + ;; In Guile 2.0.11 this test would lead to a buffer overrun followed + ;; by an assertion failure. See . + (let* ((input (with-fluids ((%default-port-encoding "UTF-8")) + (open-input-string (make-string 1000 #\λ)))) + (read! (lambda (bv index count) + (let ((n (get-bytevector-n! input bv index + count))) + (if (eof-object? n) 0 n)))) + (port (make-custom-binary-input-port "foo" read! + #f #f #f))) + (setvbuf port _IONBF) + (set-port-encoding! port "UTF-8") + (get-string-all port))) + (pass-if-equal "custom binary input port, unbuffered then buffered" `((6 "Lorem ") (12 "ipsum dolor ") (777 "sit amet, consectetur…") (777 ,(eof-object)))