From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!not-for-mail
From: Andy Wingo <wingo@pobox.com>
Newsgroups: gmane.lisp.guile.bugs
Subject: bug#13827: faulty range check in bytevector accessor
Date: Wed, 13 Mar 2013 13:55:14 +0100
Message-ID: <87k3pbh32l.fsf@pobox.com>
References: <87liaay0o1.fsf@Kagami.home>
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0
Content-Type: text/plain
X-Trace: ger.gmane.org 1363179367 12588 80.91.229.3 (13 Mar 2013 12:56:07 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Wed, 13 Mar 2013 12:56:07 +0000 (UTC)
Cc: 13827@debbugs.gnu.org
To: Ian Price <ianprice90@googlemail.com>
Original-X-From: bug-guile-bounces+guile-bugs=m.gmane.org@gnu.org Wed Mar 13 13:56:32 2013
Return-path: <bug-guile-bounces+guile-bugs=m.gmane.org@gnu.org>
Envelope-to: guile-bugs@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by plane.gmane.org with esmtp (Exim 4.69)
	(envelope-from <bug-guile-bounces+guile-bugs=m.gmane.org@gnu.org>)
	id 1UFlEJ-000339-BN
	for guile-bugs@m.gmane.org; Wed, 13 Mar 2013 13:56:27 +0100
Original-Received: from localhost ([::1]:59682 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <bug-guile-bounces+guile-bugs=m.gmane.org@gnu.org>)
	id 1UFlDx-0001rf-1N
	for guile-bugs@m.gmane.org; Wed, 13 Mar 2013 08:56:05 -0400
Original-Received: from eggs.gnu.org ([208.118.235.92]:48326)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1UFlDs-0001qk-6e
	for bug-guile@gnu.org; Wed, 13 Mar 2013 08:56:02 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1UFlDp-0000BW-IM
	for bug-guile@gnu.org; Wed, 13 Mar 2013 08:56:00 -0400
Original-Received: from debbugs.gnu.org ([140.186.70.43]:46460)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1UFlDp-0000Ab-E8
	for bug-guile@gnu.org; Wed, 13 Mar 2013 08:55:57 -0400
Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.72)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1UFlEs-0006FL-47
	for bug-guile@gnu.org; Wed, 13 Mar 2013 08:57:02 -0400
X-Loop: help-debbugs@gnu.org
Resent-From: Andy Wingo <wingo@pobox.com>
Original-Sender: debbugs-submit-bounces@debbugs.gnu.org
Resent-CC: bug-guile@gnu.org
Resent-Date: Wed, 13 Mar 2013 12:57:02 +0000
Resent-Message-ID: <handler.13827.B13827.136317939123968@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 13827
X-GNU-PR-Package: guile
X-GNU-PR-Keywords: 
Original-Received: via spool by 13827-submit@debbugs.gnu.org id=B13827.136317939123968
	(code B ref 13827); Wed, 13 Mar 2013 12:57:02 +0000
Original-Received: (at 13827) by debbugs.gnu.org; 13 Mar 2013 12:56:31 +0000
Original-Received: from localhost ([127.0.0.1]:50569 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.72)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1UFlEK-0006EU-H7
	for submit@debbugs.gnu.org; Wed, 13 Mar 2013 08:56:30 -0400
Original-Received: from a-pb-sasl-quonix.pobox.com ([208.72.237.25]:58772
	helo=sasl.smtp.pobox.com) by debbugs.gnu.org with esmtp (Exim 4.72)
	(envelope-from <wingo@pobox.com>) id 1UFlEF-0006EI-62
	for 13827@debbugs.gnu.org; Wed, 13 Mar 2013 08:56:26 -0400
Original-Received: from sasl.smtp.pobox.com (unknown [127.0.0.1])
	by a-pb-sasl-quonix.pobox.com (Postfix) with ESMTP id 76953B53F;
	Wed, 13 Mar 2013 08:55:17 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=from:to:cc
	:subject:references:date:in-reply-to:message-id:mime-version
	:content-type; s=sasl; bh=s6HCU67Du8EaIdl7fnkvhapdZ6Q=; b=gYWHqM
	RejZngVsCBwGAjemEoKsgzfddIqPwT0B+s0Slv7U30PXkIaDu2G9A5aiaojwvDO/
	5EkrMZDoSJSh5jr4dQRmgCDt6ZHKC0b6u9fQMHE8LgroLJxvBYfr+Nk3d4+Dqehy
	m4mvcPyHCV6ci1PndRZ5IcJOwf4k7VQ21nFnA=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=pobox.com; h=from:to:cc
	:subject:references:date:in-reply-to:message-id:mime-version
	:content-type; q=dns; s=sasl; b=yjjI8asDJXrw76mQVyEpITFh8ekrn3lY
	PGup/+i7F2WPj76p5xrWIb/IVgzOq6mm64cOig3buCXc66up+QsgrFPkweV/EFf6
	s2se0gI9HLFADlcpZK4KXo0fQLHCikxnh9FYzoJk46eKvxhNmSU5LXHatmRLzrFU
	7jSPoa3x35M=
Original-Received: from a-pb-sasl-quonix.pobox.com (unknown [127.0.0.1])
	by a-pb-sasl-quonix.pobox.com (Postfix) with ESMTP id 6CDA1B53E;
	Wed, 13 Mar 2013 08:55:17 -0400 (EDT)
Original-Received: from badger (unknown [88.160.190.192]) (using TLSv1 with cipher
	DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by
	a-pb-sasl-quonix.pobox.com (Postfix) with ESMTPSA id B91D1B53D;
	Wed, 13 Mar 2013 08:55:16 -0400 (EDT)
In-Reply-To: <87liaay0o1.fsf@Kagami.home> (Ian Price's message of "Wed, 27
	Feb 2013 02:02:06 +0000")
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.2 (gnu/linux)
X-Pobox-Relay-ID: 40FC3CCA-8BDD-11E2-9FD3-59240E5B5709-02397024!a-pb-sasl-quonix.pobox.com
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.13
Precedence: list
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Received-From: 140.186.70.43
X-BeenThere: bug-guile@gnu.org
List-Id: "Bug reports for GUILE,
	GNU's Ubiquitous Extension Language" <bug-guile.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guile>,
	<mailto:bug-guile-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-guile>
List-Post: <mailto:bug-guile@gnu.org>
List-Help: <mailto:bug-guile-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guile>,
	<mailto:bug-guile-request@gnu.org?subject=subscribe>
Errors-To: bug-guile-bounces+guile-bugs=m.gmane.org@gnu.org
Original-Sender: bug-guile-bounces+guile-bugs=m.gmane.org@gnu.org
Xref: news.gmane.org gmane.lisp.guile.bugs:6950
Archived-At: <http://permalink.gmane.org/gmane.lisp.guile.bugs/6950>

On Wed 27 Feb 2013 03:02, Ian Price <ianprice90@googlemail.com> writes:

> Branch: master
> Commit: 9b977c836bf147d386944c401113aba32776fa68
> System: 32 bit x86 Fedora 16
>
> (use-modules (rnrs bytevectors))
> (define not-32-bit (expt 2 32))
> (define bv (make-bytevector 4))
> (bytevector-u32-set! bv 0 not-32-bit (endianness big))
> (pk bv)
>
> Running this gives me a core dump. It happens for a wide range of values
> that don't fit in 32 bits.
>
> After some talk on #guile, Mark and I believe it comes down to the range
> check in INTEGER_ACCESSOR_PROLOGUE in bytevectors.c

Something like this look right to you?

--- a/libguile/bytevectors.c
+++ b/libguile/bytevectors.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2009, 2010, 2011, 2012 Free Software Foundation, Inc.
+/* Copyright (C) 2009, 2010, 2011, 2012, 2013 Free Software Foundation, Inc.
  *
  * This library is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Lesser General Public License
@@ -82,12 +82,12 @@
   _sign char *c_bv;						\
 								\
   SCM_VALIDATE_BYTEVECTOR (1, bv);				\
-  c_index = scm_to_uint (index);				\
+  c_index = scm_to_size_t (index);				\
 								\
   c_len = SCM_BYTEVECTOR_LENGTH (bv);				\
   c_bv = (_sign char *) SCM_BYTEVECTOR_CONTENTS (bv);		\
 								\
-  if (SCM_UNLIKELY (c_index + ((_len) >> 3UL) - 1 >= c_len))	\
+  if (SCM_UNLIKELY (c_index >= c_len))                          \
     scm_out_of_range (FUNC_NAME, index);
 
 /* Template for fixed-size integer access (only 8, 16 or 32-bit).  */



-- 
http://wingolog.org/