Modify

Ticket #7032 (closed Bugs: fixed)

Opened 22 months ago

Last modified 21 months ago

Prevent tool Bug Fix.

Reported by: g.gupta@… Owned by: johnmaddock
Milestone: To Be Determined Component: regex
Version: Boost 1.50.0 Severity: Problem
Keywords: Cc: yogen.saini@…

Description

In file boost_1_50_0_beta1/libs/regex/src/regex_raw_buffer.cpp

std::memcpy(ptr, start, datasize);

If start is NULL but datasize is not zero, then it is a segmentation fault.This is a rare situation but can happen in some scenario. Attached patch is the fix for it. This problem also persists in latest beta code.

Attachments

regex_raw_buffer.cpp_patch Download (608 bytes) - added by g.gupta@… 22 months ago.
Patch file for the reported Bug.

Change History

Changed 22 months ago by g.gupta@…

Patch file for the reported Bug.

comment:1 Changed 22 months ago by anonymous

Can you illustrate how you think this can ever come about - it would be a breach of raw_storage's invariants for this to occur.

So either: constructor raw_storage(n) has failed to allocate memory - in which case existing assert in constructor should have failed. Or Previous call to raw_storage::resize failed to allocate memory in which case existing assert should have failed.

Of course adding the extra assert doesn't harm, I'm just not sure that it actually does what you think ;-)

comment:2 Changed 22 months ago by g.gupta@…

This extra assert take care of situation when start is 0 (null) and datasize is not zero. In that case Memcpy will crash because the source is null but data size is not zero.


example of memcpy behaviour

memcpy(p1, NULL, 0); No error

memcpy(p1, NULL, 1); Crash as memcpy function will read 1 byte at null location


The patch which we provided takes care of this situation. This is possible that start is zero and datasize is non zero and it is obvious that adding the extra assert doesn't harm :-)

comment:3 Changed 22 months ago by johnmaddock

  • Status changed from new to closed
  • Resolution set to fixed

(In [79333]) Add check before copying data. Fixes #7032.

comment:4 Changed 21 months ago by johnmaddock

(In [79556]) Merge collected bug fixes from Trunk: Refs #589. Refs #7032. Refs #7084. Refs #6346.

View

Add a comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
The resolution will be deleted. Next status will be 'reopened'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.