re PR preprocessor/8055 (PATCH: cpp0 dies with SIG11 when building FreeBSD kernel)

2002-09-27 Alexander N. Kabaev <ak03@gte.com> PR preprocessor/8055 * cppmacro.c (stringify_arg): Do not overflow the buffer with the terminating NUL when the argument to be stringified has no tokens. * testsuite/gcc.dg/cpp/20020927-1.c: New. From-SVN: r57599
2002-09-28 00:30:37 +00:00 · 2002-09-28 00:30:37 +00:00 · 57147be1b6
parent b1af5a30a5
commit 57147be1b6
4 changed files with 118 additions and 10 deletions
--- a/gcc/ChangeLog
+++ b/gcc/ChangeLog
@ -1,3 +1,10 @@
+2002-09-27  Alexander N. Kabaev <ak03@gte.com>
+
+	PR preprocessor/8055
+	* cppmacro.c (stringify_arg): Do not overflow the buffer
+	with the terminating NUL when the argument to be stringified
+	has no tokens.
+
 2002-09-27  Richard Henderson  <rth@redhat.com>

 	* unroll.c (simplify_cmp_and_jump_insns): New.
@ -74,7 +81,7 @@

 	* dbxout.c (FORCE_TEXT): Switch to current_function_decl, not
 	text_section.
-	* xcoffout.h (DBX_STATIC_BLOCK_START): Remove explicit change to 
+	* xcoffout.h (DBX_STATIC_BLOCK_START): Remove explicit change to
 	text section.
 	* config/rs6000/rs6000.c (rs6000_override_options): Allow
 	function-sections and data-sections functionality on AIX.
@ -143,12 +150,12 @@

 2002-09-24  Eric Christopher  <echristo@redhat.com>

-        * config/mips/elf.h: Add HANDLE_SYSV_PRAGMA.
-        * config/mips/elf64.h: Ditto.
+	* config/mips/elf.h: Add HANDLE_SYSV_PRAGMA.
+	* config/mips/elf64.h: Ditto.

 2002-09-24  Eric Christopher  <echristo@redhat.com>

-        * except.c (expand_builtin_extract_return_address): Handle case
+	* except.c (expand_builtin_extract_return_address): Handle case
 	where Pmode != ptr_mode.

 2002-09-26  Steve Ellcey  <sje@cup.hp.com>
@ -224,11 +231,11 @@

 2002-09-24  Adam Nemet  <anemet@lnxw.com>

-        * config/arm/arm.c (thumb_unexpanded_epilogue): Don't generate
-        epilogue for naked functions.
+	* config/arm/arm.c (thumb_unexpanded_epilogue): Don't generate
+	epilogue for naked functions.

 2002-09-24  Adam Nemet  <anemet@lnxw.com>
-            Nick Clifton  <nickc@redhat.com>
+	    Nick Clifton  <nickc@redhat.com>

 	* config/arm/arm.h (THUMB_FUNCTION_PROFILER): Remove.
 	(FUNCTION_PROFILER): Only invoke THUMB_FUNCTION_PROFILER if it
--- a/gcc/cppmacro.c
+++ b/gcc/cppmacro.c
@ -409,6 +409,12 @@ stringify_arg (pfile, arg)
    }

  /* Commit the memory, including NUL, and return the token.  */
+  if ((size_t) (BUFF_LIMIT (pfile->u_buff) - dest) < 1)
+    {
+      size_t len_so_far = dest - BUFF_FRONT (pfile->u_buff);
+      _cpp_extend_buff (pfile, &pfile->u_buff, 1);
+      dest = BUFF_FRONT (pfile->u_buff) + len_so_far;
+    }
  len = dest - BUFF_FRONT (pfile->u_buff);
  BUFF_FRONT (pfile->u_buff) = dest + 1;
  return new_string_token (pfile, dest - len, len);
--- a/gcc/testsuite/ChangeLog
+++ b/gcc/testsuite/ChangeLog
@ -1,3 +1,7 @@
+2002-09-27  Zack Weinberg  <zack@codesourcery.com>
+
+	* gcc.dg/cpp/20020927-1.c: New.
+
 2002-09-26  David S. Miller  <davem@redhat.com>

 	* gcc.c-torture/compile/trunctfdf.c: New.
@ -98,7 +102,7 @@ Tue Sep 17 13:59:45 2002  Nicola Pero  <n.pero@mi.flashnet.it>
 	* objc.dg/comp-types-3.m: New test.
 	* objc.dg/comp-types-4.m: New test.
 	* objc.dg/comp-types-5.m: New test.
-	* objc.dg/comp-types-6.m: New test.	
+	* objc.dg/comp-types-6.m: New test.

 2002-09-17  John David Anglin  <dave@hiauly1.hia.nrc.ca>

@ -107,9 +111,9 @@ Tue Sep 17 13:59:45 2002  Nicola Pero  <n.pero@mi.flashnet.it>
 2002-09-16  Nathan Sidwell  <nathan@codesourcery.com>

 	* g++.dg/other/do1.C: New test.
-	
+
 	* g++.dg/template/subst1.C: New test.
-	
+
 2002-09-16  Steve Ellcey  <sje@cup.hp.com>

 	* gcc.dg/20020312-2.c: Change __parisc__ to __hppa__.
--- a/gcc/testsuite/gcc.dg/cpp/20020927-1.c
+++ b/gcc/testsuite/gcc.dg/cpp/20020927-1.c
@ -0,0 +1,91 @@
+/* Test case for buffer overflow bug in token stringification.
+   See PR preprocessor/8055 for details.
+   Reported by Alexander N. Kabaev <ak03@gte.com>.
+   Test case written by Zack Weinberg <zack@codesourcery.com>.  */
+
+/* { dg-do preprocess } */
+
+#define S(x) #x
+
+/* Fill up one internal buffer with data.  */
+S(1234567890123456789012345678901234567890123456789012345678901234567890
+  1234567890123456789012345678901234567890123456789012345678901234567890
+  1234567890123456789012345678901234567890123456789012345678901234567890
+  1234567890123456789012345678901234567890123456789012345678901234567890
+  1234567890123456789012345678901234567890123456789012345678901234567890
+  1234567890123456789012345678901234567890123456789012345678901234567890
+  1234567890123456789012345678901234567890123456789012345678901234567890
+  1234567890123456789012345678901234567890123456789012345678901234567890
+  1234567890123456789012345678901234567890123456789012345678901234567890
+  1234567890123456789012345678901234567890123456789012345678901234567890
+  1234567890123456789012345678901234567890123456789012345678901234567890
+  1234567890123456789012345678901234567890123456789012345678901234567890
+  1234567890123456789012345678901234567890123456789012345678901234567890
+  1234567890123456789012345678901234567890123456789012345678901234567890
+  1234567890123456789012345678901234567890123456789012345678901234567890
+  1234567890123456789012345678901234567890123456789012345678901234567890
+  1234567890123456789012345678901234567890123456789012345678901234567890
+  1234567890123456789012345678901234567890123456789012345678901234567890
+  1234567890123456789012345678901234567890123456789012345678901234567890
+  1234567890123456789012345678901234567890123456789012345678901234567890
+  1234567890123456789012345678901234567890123456789012345678901234567890
+  1234567890123456789012345678901234567890123456789012345678901234567890
+  1234567890123456789012345678901234567890123456789012345678901234567890
+  1234567890123456789012345678901234567890123456789012345678901234567890
+  1234567890123456789012345678901234567890123456789012345678901234567890
+  1234567890123456789012345678901234567890123456789012345678901234567890
+  1234567890123456789012345678901234567890123456789012345678901234567890
+  1234567890123456789012345678901234567890123456789012345678901234567890
+  1234567890123456789012345678901234567890123456789012345678901234567890
+  1234567890123456789012345678901234567890123456789012345678901234567890
+  1234567890123456789012345678901234567890123456789012345678901234567890
+  1234567890123456789012345678901234567890123456789012345678901234567890
+  1234567890123456789012345678901234567890123456789012345678901234567890
+  1234567890123456789012345678901234567890123456789012345678901234567890
+  1234567890123456789012345678901234567890123456789012345678901234567890
+  1234567890123456789012345678901234567890123456789012345678901234567890
+  1234567890123456789012345678901234567890123456789012345678901234567890
+  1234567890123456789012345678901234567890123456789012345678901234567890
+  1234567890123456789012345678901234567890123456789012345678901234567890
+  1234567890123456789012345678901234567890123456789012345678901234567890
+  1234567890123456789012345678901234567890123456789012345678901234567890
+  1234567890123456789012345678901234567890123456789012345678901234567890
+  1234567890123456789012345678901234567890123456789012345678901234567890
+  1234567890123456789012345678901234567890123456789012345678901234567890
+  1234567890123456789012345678901234567890123456789012345678901234567890
+  1234567890123456789012345678901234567890123456789012345678901234567890
+  1234567890123456789012345678901234567890123456789012345678901234567890
+  1234567890123456789012345678901234567890123456789012345678901234567890
+  1234567890123456789012345678901234567890123456789012345678901234567890
+  1234567890123456789012345678901234567890123456789012345678901234567890
+  1234567890123456789012345678901234567890123456789012345678901234567890
+  1234567890123456789012345678901234567890123456789012345678901234567890
+  12345678901234567890123456789012345678901234567890123456789012345)
+
+/* When stringify_arg() was called with an empty macro argument, it would
+   advance the buffer pointer by one but fail to check for running past the
+   end of the buffer.  We can only know where the end of the buffer is to
+   within about eight bytes, so do this sixteen times to be sure of hitting
+   it.  */
+
+S()
+S()
+S()
+S()
+S()
+S()
+S()
+S()
+S()
+S()
+S()
+S()
+S()
+S()
+S()
+S()
+
+/* Now allocate more memory in the buffer, which should provoke a crash.  */
+
+S(abcdefghijklmnopqrstuvwxyz)
+S(abcdefghijklmnopqrstuvwxyz)