From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Andy Wingo Newsgroups: gmane.lisp.guile.bugs Subject: bug#13827: faulty range check in bytevector accessor Date: Wed, 13 Mar 2013 13:55:14 +0100 Message-ID: <87k3pbh32l.fsf@pobox.com> References: <87liaay0o1.fsf@Kagami.home> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: ger.gmane.org 1363179367 12588 80.91.229.3 (13 Mar 2013 12:56:07 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Wed, 13 Mar 2013 12:56:07 +0000 (UTC) Cc: 13827@debbugs.gnu.org To: Ian Price Original-X-From: bug-guile-bounces+guile-bugs=m.gmane.org@gnu.org Wed Mar 13 13:56:32 2013 Return-path: Envelope-to: guile-bugs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1UFlEJ-000339-BN for guile-bugs@m.gmane.org; Wed, 13 Mar 2013 13:56:27 +0100 Original-Received: from localhost ([::1]:59682 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1UFlDx-0001rf-1N for guile-bugs@m.gmane.org; Wed, 13 Mar 2013 08:56:05 -0400 Original-Received: from eggs.gnu.org ([208.118.235.92]:48326) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1UFlDs-0001qk-6e for bug-guile@gnu.org; Wed, 13 Mar 2013 08:56:02 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1UFlDp-0000BW-IM for bug-guile@gnu.org; Wed, 13 Mar 2013 08:56:00 -0400 Original-Received: from debbugs.gnu.org ([140.186.70.43]:46460) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1UFlDp-0000Ab-E8 for bug-guile@gnu.org; Wed, 13 Mar 2013 08:55:57 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.72) (envelope-from ) id 1UFlEs-0006FL-47 for bug-guile@gnu.org; Wed, 13 Mar 2013 08:57:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Andy Wingo Original-Sender: debbugs-submit-bounces@debbugs.gnu.org Resent-CC: bug-guile@gnu.org Resent-Date: Wed, 13 Mar 2013 12:57:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 13827 X-GNU-PR-Package: guile X-GNU-PR-Keywords: Original-Received: via spool by 13827-submit@debbugs.gnu.org id=B13827.136317939123968 (code B ref 13827); Wed, 13 Mar 2013 12:57:02 +0000 Original-Received: (at 13827) by debbugs.gnu.org; 13 Mar 2013 12:56:31 +0000 Original-Received: from localhost ([127.0.0.1]:50569 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1UFlEK-0006EU-H7 for submit@debbugs.gnu.org; Wed, 13 Mar 2013 08:56:30 -0400 Original-Received: from a-pb-sasl-quonix.pobox.com ([208.72.237.25]:58772 helo=sasl.smtp.pobox.com) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1UFlEF-0006EI-62 for 13827@debbugs.gnu.org; Wed, 13 Mar 2013 08:56:26 -0400 Original-Received: from sasl.smtp.pobox.com (unknown [127.0.0.1]) by a-pb-sasl-quonix.pobox.com (Postfix) with ESMTP id 76953B53F; Wed, 13 Mar 2013 08:55:17 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=from:to:cc :subject:references:date:in-reply-to:message-id:mime-version :content-type; s=sasl; bh=s6HCU67Du8EaIdl7fnkvhapdZ6Q=; b=gYWHqM RejZngVsCBwGAjemEoKsgzfddIqPwT0B+s0Slv7U30PXkIaDu2G9A5aiaojwvDO/ 5EkrMZDoSJSh5jr4dQRmgCDt6ZHKC0b6u9fQMHE8LgroLJxvBYfr+Nk3d4+Dqehy m4mvcPyHCV6ci1PndRZ5IcJOwf4k7VQ21nFnA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=pobox.com; h=from:to:cc :subject:references:date:in-reply-to:message-id:mime-version :content-type; q=dns; s=sasl; b=yjjI8asDJXrw76mQVyEpITFh8ekrn3lY PGup/+i7F2WPj76p5xrWIb/IVgzOq6mm64cOig3buCXc66up+QsgrFPkweV/EFf6 s2se0gI9HLFADlcpZK4KXo0fQLHCikxnh9FYzoJk46eKvxhNmSU5LXHatmRLzrFU 7jSPoa3x35M= Original-Received: from a-pb-sasl-quonix.pobox.com (unknown [127.0.0.1]) by a-pb-sasl-quonix.pobox.com (Postfix) with ESMTP id 6CDA1B53E; Wed, 13 Mar 2013 08:55:17 -0400 (EDT) Original-Received: from badger (unknown [88.160.190.192]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by a-pb-sasl-quonix.pobox.com (Postfix) with ESMTPSA id B91D1B53D; Wed, 13 Mar 2013 08:55:16 -0400 (EDT) In-Reply-To: <87liaay0o1.fsf@Kagami.home> (Ian Price's message of "Wed, 27 Feb 2013 02:02:06 +0000") User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.2 (gnu/linux) X-Pobox-Relay-ID: 40FC3CCA-8BDD-11E2-9FD3-59240E5B5709-02397024!a-pb-sasl-quonix.pobox.com X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.13 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 140.186.70.43 X-BeenThere: bug-guile@gnu.org List-Id: "Bug reports for GUILE, GNU's Ubiquitous Extension Language" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guile-bounces+guile-bugs=m.gmane.org@gnu.org Original-Sender: bug-guile-bounces+guile-bugs=m.gmane.org@gnu.org Xref: news.gmane.org gmane.lisp.guile.bugs:6950 Archived-At: On Wed 27 Feb 2013 03:02, Ian Price writes: > Branch: master > Commit: 9b977c836bf147d386944c401113aba32776fa68 > System: 32 bit x86 Fedora 16 > > (use-modules (rnrs bytevectors)) > (define not-32-bit (expt 2 32)) > (define bv (make-bytevector 4)) > (bytevector-u32-set! bv 0 not-32-bit (endianness big)) > (pk bv) > > Running this gives me a core dump. It happens for a wide range of values > that don't fit in 32 bits. > > After some talk on #guile, Mark and I believe it comes down to the range > check in INTEGER_ACCESSOR_PROLOGUE in bytevectors.c Something like this look right to you? --- a/libguile/bytevectors.c +++ b/libguile/bytevectors.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2009, 2010, 2011, 2012 Free Software Foundation, Inc. +/* Copyright (C) 2009, 2010, 2011, 2012, 2013 Free Software Foundation, Inc. * * This library is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public License @@ -82,12 +82,12 @@ _sign char *c_bv; \ \ SCM_VALIDATE_BYTEVECTOR (1, bv); \ - c_index = scm_to_uint (index); \ + c_index = scm_to_size_t (index); \ \ c_len = SCM_BYTEVECTOR_LENGTH (bv); \ c_bv = (_sign char *) SCM_BYTEVECTOR_CONTENTS (bv); \ \ - if (SCM_UNLIKELY (c_index + ((_len) >> 3UL) - 1 >= c_len)) \ + if (SCM_UNLIKELY (c_index >= c_len)) \ scm_out_of_range (FUNC_NAME, index); /* Template for fixed-size integer access (only 8, 16 or 32-bit). */ -- http://wingolog.org/