[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

[PATCH] Fix the out-of-bounds memory access in the 'test_string_matching' test

From: Evgeny Kotkov <evgeny.kotkov_at_visualsvn.com>
Date: Sun, 28 Jul 2013 13:47:34 +0400

Hi,

I've noticed that the test 'test_string_matching' introduced in r1505336 [1]
violates the contracts of the svn_cstring__match_length and
svn_cstring__reverse_match_length functions:

[[[
    Return the number of bytes before A and B that don't differ. If no
    difference can be found in the first MAX_LEN characters, MAX_LEN will
    be returned. Please note that A-MAX_LEN and B-MAX_LEN must both be
    valid addresses.
]]]

Currently this test sets the MAX_LEN value to the maximum of the string
lengths. This violates the "valid addresses" part of the contract and results
in undefined behavior due to the out-of-bounds memory access.

On my 64-bit Ubuntu machine this test fails when compiled with the string
pooling optimization (gcc -O1 / -O2 / -O3):

[[[
    PASS: string-test 27: check deletion from svn_stringbuf_t
    PASS: string-test 28: check replacement in svn_stringbuf_t
    PASS: string-test 29: test string similarity scores
    svn_tests: E200006: assertion 'rmatch_len == test->rmatch_len' failed at
      subversion/tests/libsvn_subr/string-test.c:823
    FAIL: string-test 30: test string matching
]]]

I've attached a patch that fixes this issue.

[1]: https://svn.apache.org/viewvc?view=revision&revision=r1505336

Thanks and regards,
Evgeny Kotkov

Received on 2013-07-28 11:48:36 CEST

This is an archived mail posted to the Subversion Dev mailing list.