mirror/guile
mirror/guile
1
Fork 0
mirror of https://git.savannah.gnu.org/git/guile.git synced 2025-05-11 08:10:21 +02:00
Code Activity

Fix buffer overrun with unbuffered custom binary input ports.

Browse source 
Fixes <http://bugs.gnu.org/19621>.

Before that, in 'cbip_fill_input', BUFFERED would be set to 0 when
reading from 'scm_getc' et al, because 'shortbuf' was being used.  Thus,
we could eventually execute this line:

      /* Copy the data back to the internal buffer.  */
      memcpy ((char *) c_port->read_pos, SCM_BYTEVECTOR_CONTENTS (bv),
	      c_octets);

But 'read_pos' would quickly point to the fields beyond 'shortbuf',
thereby leading to a corruption of the 'scm_t_port' itself.

* libguile/r6rs-ports.c (cbip_setvbuf): When READ_SIZE is 0, keep using
  BV as the 'read_buf'.
  (cbip_fill_input): Adjust assertion to accept 'read_buf_size = 1'.
* test-suite/tests/r6rs-ports.test ("7.2.7 Input Ports")["custom binary
  input port unbuffered & 'get-string-all'", "custom binary input port
  unbuffered UTF-8 & 'get-string-all'"]: New tests.
This commit is contained in:
Ludovic Courtès 2015-01-18 21:52:48 +01:00
parent e1d29ee4f7
commit ed72201a79
2 changed files with 42 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

17
libguile/r6rs-ports.c
View file

@ -1,4 +1,4 @@
/* Copyright (C) 2009, 2010, 2011, 2013, 2014 Free Software Foundation, Inc. /* Copyright (C) 2009, 2010, 2011, 2013-2015 Free Software Foundation, Inc.
* *
* This library is free software; you can redistribute it and/or * This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public License * modify it under the terms of the GNU Lesser General Public License
@ -307,9 +307,10 @@ cbip_setvbuf (SCM port, long read_size, long write_size)
switch (read_size) switch (read_size)
{ {
case 0: case 0:
/* Unbuffered: keep PORT's bytevector as is (it will be used in /* Unbuffered: keep using PORT's bytevector as the underlying
future 'scm_c_read' calls), but point to the one-byte buffer. */ buffer (it will also be used by future 'scm_c_read' calls.) */
pt->read_buf = &pt->shortbuf; assert (SCM_BYTEVECTOR_LENGTH (bv) >= 1);
pt->read_buf = (unsigned char *) SCM_BYTEVECTOR_CONTENTS (bv);
pt->read_buf_size = 1; pt->read_buf_size = 1;
break; break;
@ -404,9 +405,11 @@ cbip_fill_input (SCM port)
if (buffered) if (buffered)
{ {
/* Make sure the buffer isn't corrupt. BV can be passed directly /* Make sure the buffer isn't corrupt. Its size can be 1 when
to READ_PROC. */ someone called 'setvbuf' with _IONBF. BV can be passed
assert (c_port->read_buf_size == SCM_BYTEVECTOR_LENGTH (bv)); directly to READ_PROC. */
assert (c_port->read_buf_size == SCM_BYTEVECTOR_LENGTH (bv)
|| c_port->read_buf_size == 1);
c_port->read_pos = (unsigned char *) SCM_BYTEVECTOR_CONTENTS (bv); c_port->read_pos = (unsigned char *) SCM_BYTEVECTOR_CONTENTS (bv);
} }
else else

33
test-suite/tests/r6rs-ports.test
View file

@ -1,6 +1,6 @@
;;;; r6rs-ports.test --- R6RS I/O port tests. -*- coding: utf-8; -*- ;;;; r6rs-ports.test --- R6RS I/O port tests. -*- coding: utf-8; -*-
;;;; ;;;;
;;;; Copyright (C) 2009, 2010, 2011, 2012, 2014 Free Software Foundation, Inc. ;;;; Copyright (C) 2009-2012, 2014-2015 Free Software Foundation, Inc.
;;;; Ludovic Courtès ;;;; Ludovic Courtès
;;;; ;;;;
;;;; This library is free software; you can redistribute it and/or ;;;; This library is free software; you can redistribute it and/or
@ -557,6 +557,37 @@ not `set-port-position!'"
obj)) obj))
ret))))) ret)))))
(pass-if-equal "custom binary input port unbuffered & 'get-string-all'"
(make-string 1000 #\a)
;; In Guile 2.0.11 this test would lead to a buffer overrun followed
;; by an assertion failure. See <http://bugs.gnu.org/19621>.
(let* ((input (with-fluids ((%default-port-encoding #f))
(open-input-string (make-string 1000 #\a))))
(read! (lambda (bv index count)
(let ((n (get-bytevector-n! input bv index
count)))
(if (eof-object? n) 0 n))))
(port (make-custom-binary-input-port "foo" read!
#f #f #f)))
(setvbuf port _IONBF)
(get-string-all port)))
(pass-if-equal "custom binary input port unbuffered UTF-8 & 'get-string-all'"
(make-string 1000 #\λ)
;; In Guile 2.0.11 this test would lead to a buffer overrun followed
;; by an assertion failure. See <http://bugs.gnu.org/19621>.
(let* ((input (with-fluids ((%default-port-encoding "UTF-8"))
(open-input-string (make-string 1000 #\λ))))
(read! (lambda (bv index count)
(let ((n (get-bytevector-n! input bv index
count)))
(if (eof-object? n) 0 n))))
(port (make-custom-binary-input-port "foo" read!
#f #f #f)))
(setvbuf port _IONBF)
(set-port-encoding! port "UTF-8")
(get-string-all port)))
(pass-if-equal "custom binary input port, unbuffered then buffered" (pass-if-equal "custom binary input port, unbuffered then buffered"
`((6 "Lorem ") (12 "ipsum dolor ") (777 "sit amet, consectetur…") `((6 "Lorem ") (12 "ipsum dolor ") (777 "sit amet, consectetur…")
(777 ,(eof-object))) (777 ,(eof-object)))