Project

General

Profile

Bug #497

Accessing indexed arrays via a[i] (instead of ar[$i]) may lead to use of |strcpy()| with overlapping src and dest

Added by Roland Mainz over 9 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
cmd - userland programs
Start date:
2010-12-10
Due date:
% Done:

0%

Estimated time:
Difficulty:
Tags:
Gerrit CR:

Description

The following ksh testcase creates a |strcpy()| call which may lead to undefined behaviour on some platforms.
Example (note that variable "l1" must be exactly two charcaters wide):
-- snip --
$ ksh c 'typeset -T r_t=( typeset left ; typeset right ) ; r_t -r -a
x=([0]=(right="1") [1]=(right="2")) ; integer l1=1 ; print
${x[l1].right}'
-
snip --
... running this testcase on SuSE Linux 11.0 (Solaris has no "valgrind") under "valgrind" control delivers this warning:
-- snip --
28763 Source and destination overlap in strcpy(0x4223B31, 0x4223B32)
28763 at 0x4C25E8D: strcpy (in
/usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
28763 by 0x45B4B9: nv_create (name.c:1053)
28763 by 0x45C878: nv_open (name.c:1348)
28763 by 0x452299: varsub (macro.c:1305)
28763 by 0x44F6D3: copyto (macro.c:626)
28763 by 0x44D9FA: sh_macexpand (macro.c:240)
28763 by 0x4AE4D7: arg_expand (args.c:871)
28763 by 0x4ADE9D: sh_argbuild (args.c:728)
28763 by 0x48097B: sh_exec (xec.c:916)
28763 by 0x484753: sh_exec (xec.c:1962)
28763 by 0x417ED6: exfile (main.c:601)
28763 by 0x4170CD: sh_main (main.c:373)
-- snip --

Notes:
1. this issue was found on Linux but applies to Solaris, too
2. I filed this bug as reference for other bugs

Also available in: Atom PDF