Commit 8c2fefe8 authored by Dmitriy Vyukov's avatar Dmitriy Vyukov

cmd/gc: fix out of bounds access

AddressSanitizer says:

AddressSanitizer: heap-buffer-overflow on address 0x60200001b6f3
READ of size 6 at 0x60200001b6f3 thread T0
    #0 0x46741b in __interceptor_memcmp asan_interceptors.cc:337
    #1 0x4b5794 in compile src/cmd/6g/../gc/pgen.c:177
    #2 0x509b81 in funccompile src/cmd/gc/dcl.c:1457
    #3 0x520fe2 in p9main src/cmd/gc/lex.c:489
    #4 0x5e2e01 in main src/lib9/main.c:57
    #5 0x7fab81f7976c in __libc_start_main /build/buildd/eglibc-2.15/csu/libc-start.c:226
    #6 0x4b16dc in _start (pkg/tool/linux_amd64/6g+0x4b16dc)

0x60200001b6f3 is located 0 bytes to the right of 3-byte region [0x60200001b6f0,0x60200001b6f3)
allocated by thread T0 here:
    #0 0x493ec8 in __interceptor_malloc asan_malloc_linux.cc:75
    #1 0x54d64e in mal src/cmd/gc/subr.c:459
    #2 0x5260d5 in yylex src/cmd/gc/lex.c:1605
    #3 0x52078f in p9main src/cmd/gc/lex.c:402
    #4 0x5e2e01 in main src/lib9/main.c:57

If the memory block happens to be at the end of hunk and page bounadry,
this out-of-bounds can lead to a crash.

LGTM=dave, iant
R=golang-codereviews, dave, iant
CC=golang-codereviews
https://golang.org/cl/93370043
parent d145f0f0
......@@ -174,7 +174,7 @@ compile(Node *fn)
lno = setlineno(fn);
if(fn->nbody == nil) {
if(pure_go || memcmp(fn->nname->sym->name, "init·", 6) == 0)
if(pure_go || strncmp(fn->nname->sym->name, "init·", 6) == 0)
yyerror("missing function body", fn);
goto ret;
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment