Bug: reading out of bounds in cint

bug-gawk

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Bug: reading out of bounds in cint_array.c

From:	Michael Builov
Subject:	Bug: reading out of bounds in cint_array.c
Date:	Mon, 13 Jan 2020 16:32:29 +0300

Hello.

I have just spotted a possible read beyond array bounds in
cint_array_init().
What if NHAT is defined as 30 in the environment?

The code:

static NODE **
cint_array_init(NODE *symbol, NODE *subs)
{
........
        /* check relevant environment variables */
        if ((newval = getenv_long("NHAT")) > 1 && newval < INT32_BIT)
            NHAT = (unsigned) newval;
        /* don't allow overflow off the end of the table */
        if (NHAT >= nelems)
            NHAT = nelems - 2;
        THRESHOLD = power_two_table[NHAT + 1];
..........
}

INT32_BIT == 32
nelems == 31
so
THRESHOLD = power_two_table[30 + 1];   // reading out of bounds!



Best regards,
Michael M. Builov.

[Prev in Thread]

Current Thread

[Next in Thread]

Bug: reading out of bounds in cint_array.c, Michael Builov <=
- Re: Bug: reading out of bounds in cint_array.c, Andrew J. Schorr, 2020/01/13
  - Re: Bug: reading out of bounds in cint_array.c, arnold, 2020/01/14
    - Re: Bug: reading out of bounds in cint_array.c, Andrew J. Schorr, 2020/01/14
    - Re: Bug: reading out of bounds in cint_array.c, arnold, 2020/01/15

Prev by Date: Minor documentation change suggestion
Next by Date: Re: Bug: reading out of bounds in cint_array.c
Previous by thread: Minor documentation change suggestion
Next by thread: Re: Bug: reading out of bounds in cint_array.c
Index(es):
- Date
- Thread