mirror/guile
mirror/guile
1
Fork 0
mirror of https://git.savannah.gnu.org/git/guile.git synced 2025-05-10 15:50:50 +02:00
Code Activity

Fix buffer overrun with unbuffered custom binary input ports.

Browse source 
Fixes <http://bugs.gnu.org/19621>.

Before that, in 'cbip_fill_input', BUFFERED would be set to 0 when
reading from 'scm_getc' et al, because 'shortbuf' was being used.  Thus,
we could eventually execute this line:

      /* Copy the data back to the internal buffer.  */
      memcpy ((char *) c_port->read_pos, SCM_BYTEVECTOR_CONTENTS (bv),
	      c_octets);

But 'read_pos' would quickly point to the fields beyond 'shortbuf',
thereby leading to a corruption of the 'scm_t_port' itself.

* libguile/r6rs-ports.c (cbip_setvbuf): When READ_SIZE is 0, keep using
  BV as the 'read_buf'.
  (cbip_fill_input): Adjust assertion to accept 'read_buf_size = 1'.
* test-suite/tests/r6rs-ports.test ("7.2.7 Input Ports")["custom binary
  input port unbuffered & 'get-string-all'", "custom binary input port
  unbuffered UTF-8 & 'get-string-all'"]: New tests.
This commit is contained in:
Ludovic Courtès 2015-01-18 21:52:48 +01:00
parent e1d29ee4f7
commit ed72201a79
2 changed files with 42 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

17
libguile/r6rs-ports.c
View file

@ -1,4 +1,4 @@
/* Copyright (C) 2009, 2010, 2011, 2013, 2014 Free Software Foundation, Inc.
/* Copyright (C) 2009, 2010, 2011, 2013-2015 Free Software Foundation, Inc.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public License
@ -307,9 +307,10 @@ cbip_setvbuf (SCM port, long read_size, long write_size)
switch (read_size)
{
case 0:
/* Unbuffered: keep PORT's bytevector as is (it will be used in
future 'scm_c_read' calls), but point to the one-byte buffer. */
pt->read_buf = &pt->shortbuf;
/* Unbuffered: keep using PORT's bytevector as the underlying
buffer (it will also be used by future 'scm_c_read' calls.) */
assert (SCM_BYTEVECTOR_LENGTH (bv) >= 1);
pt->read_buf = (unsigned char *) SCM_BYTEVECTOR_CONTENTS (bv);
pt->read_buf_size = 1;
break;
@ -404,9 +405,11 @@ cbip_fill_input (SCM port)
if (buffered)
{
/* Make sure the buffer isn't corrupt. BV can be passed directly
to READ_PROC. */
assert (c_port->read_buf_size == SCM_BYTEVECTOR_LENGTH (bv));
/* Make sure the buffer isn't corrupt. Its size can be 1 when
someone called 'setvbuf' with _IONBF. BV can be passed
directly to READ_PROC. */
assert (c_port->read_buf_size == SCM_BYTEVECTOR_LENGTH (bv)
|| c_port->read_buf_size == 1);
c_port->read_pos = (unsigned char *) SCM_BYTEVECTOR_CONTENTS (bv);
}
else