URL: <http://savannah.gnu.org/bugs/?35699>
Summary: NSStrings can point into garbage memory (misuse of app-supplied backing buffer) Project: GNUstep Submitted by: snej Submitted on: Fri 02 Mar 2012 06:21:39 PM GMT Category: Base/Foundation Severity: 3 - Normal Item Group: Bug Status: None Privacy: Public Assigned to: None Open/Closed: Open Discussion Lock: Any _______________________________________________________ Details: NSString is insufficiently careful in its use of externally-provided buffers (i.e. passed to -initWithBytesNoCopy:). Substrings created from such a string apparently point into the same temporary buffer, even after the original string is released, meaning that their contents become garbage as soon as the buffer contents become invalid. In the test case below, the contents of the NSString 'substr' change if the temporary buffer is modified, even after the original string created from that buffer is released. This is of course likely to lead to very nasty side effects later on. I don't know the details of Apple's NSString implementation, but my understanding is that the -substringWithRange: method should not allow the string it returns to share a buffer with the original string, when the original string uses ephemeral user-supplied memory. TEST CASE void test(void) { char buffer[] = "I HAZ A BUFFER"; NSString* str = [[NSString alloc] initWithBytesNoCopy: buffer length: strlen(buffer) encoding: NSUTF8StringEncoding freeWhenDone: NO]; NSString* substr = [str substringWithRange: NSMakeRange(2, 3)]; NSLog(@"substr = '%@'", substr); NSAssert([substr isEqualToString: @"HAZ"], @"bad substr"); [str release]; // after this point nothing should be using the contents of buffer[]! memset(buffer, '*', sizeof(buffer)); NSLog(@"substr = '%@'", substr); NSAssert([substr isEqualToString: @"HAZ"], @"bad substr"); } _______________________________________________________ Reply to this item at: <http://savannah.gnu.org/bugs/?35699> _______________________________________________ Message sent via/by Savannah http://savannah.gnu.org/ _______________________________________________ Bug-gnustep mailing list Bug-gnustep@gnu.org https://lists.gnu.org/mailman/listinfo/bug-gnustep