Modify

Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#7032 closed Bugs (fixed)

Prevent tool Bug Fix.

Reported by: g.gupta@… Owned by: John Maddock
Milestone: To Be Determined Component: regex
Version: Boost 1.50.0 Severity: Problem
Keywords: Cc: yogen.saini@…

Description

In file boost_1_50_0_beta1/libs/regex/src/regex_raw_buffer.cpp

std::memcpy(ptr, start, datasize);

If start is NULL but datasize is not zero, then it is a segmentation fault.This is a rare situation but can happen in some scenario. Attached patch is the fix for it. This problem also persists in latest beta code.

Attachments (1)

regex_raw_buffer.cpp_patch (608 bytes) - added by g.gupta@… 5 years ago.
Patch file for the reported Bug.

Download all attachments as: .zip

Change History (5)

Changed 5 years ago by g.gupta@…

Attachment: regex_raw_buffer.cpp_patch added

Patch file for the reported Bug.

comment:1 Changed 5 years ago by anonymous

Can you illustrate how you think this can ever come about - it would be a breach of raw_storage's invariants for this to occur.

So either: constructor raw_storage(n) has failed to allocate memory - in which case existing assert in constructor should have failed. Or Previous call to raw_storage::resize failed to allocate memory in which case existing assert should have failed.

Of course adding the extra assert doesn't harm, I'm just not sure that it actually does what you think ;-)

comment:2 Changed 5 years ago by g.gupta@…

This extra assert take care of situation when start is 0 (null) and datasize is not zero. In that case Memcpy will crash because the source is null but data size is not zero.


example of memcpy behaviour

memcpy(p1, NULL, 0); No error

memcpy(p1, NULL, 1); Crash as memcpy function will read 1 byte at null location


The patch which we provided takes care of this situation. This is possible that start is zero and datasize is non zero and it is obvious that adding the extra assert doesn't harm :-)

comment:3 Changed 5 years ago by John Maddock

Resolution: fixed
Status: newclosed

(In [79333]) Add check before copying data. Fixes #7032.

comment:4 Changed 5 years ago by John Maddock

(In [79556]) Merge collected bug fixes from Trunk: Refs #589. Refs #7032. Refs #7084. Refs #6346.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain John Maddock.
The resolution will be deleted.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.