*Synopsis*: *libpp* Array overrun in libpp
CR 6764665 changed on Oct 23 2009 by <User 1-7MTUEB>
=== Field ============ === New Value ============= === Old Value =============
See Also 6437624
====================== =========================== ===========================
*Change Request ID*: 6764665
*Synopsis*: *libpp* Array overrun in libpp
Product: solaris
Category: shell
Subcategory: korn93
Type: Defect
Subtype:
Status: 7-Fix in Progress
Substatus:
Priority: 3-Medium
Introduced In Release: solaris_nevada
Introduced In Build: snv_72
Responsible Engineer: <User 1-7MTUEB>
Keywords: oss-request, oss-sponsor, parfait
=== *Description* ============================================================
/usr/src/lib/libpp/common/ppfsm.c
0861: }
0862: if (x >= 0)
0863: {
0864: *s = x;
0865: for (n = CHAR_MIN; n <= CHAR_MAX; n++)
0866: if (ppisidig(n))
0867: fsm[HITN][n] = HITN;
0868: n = HITN;
0869: }
0870: if (fsm[i][c] < n)
0871: fsm[i][c] = n;
ppisidig() expands to ((pptype)[c]&(C_ID|C_DIG)), and pptype further expands to
(ppctype-(CHAR_MIN)+1) when char is signed (as it is by default on x86).
ppctype in turn is a char array of 255 elements. As a result, the above loop
runs from ppctype[1] through ppctype[256].
The bug looks to be in the definition of pptype - when char is unsigned, the
code should work correctly.
This bug was found using the Parfait source code analysis tool.
See http://research.sun.com/projects/parfait
*** (#1 of 1): 2008-10-28 18:48:54 GMT+00:00 <User 1-5Q-544>
=== *Public Comments* ========================================================
=== *Workaround* =============================================================
=== *Additional Details* =====================================================
Targeted Release: solaris_nevada
Commit To Fix In Build: snv_127
Fixed In Build:
Integrated In Build:
Verified In Build:
See Also: 6437624, 6793763
Duplicate of:
Hooks:
Hook1:
Hook2:
Hook3:
Hook4:
Hook5: <email address omitted>
Hook6: <email address omitted>
Program Management:
Root Cause: Insufficient Testing
Fix Affects Documentation: No
Fix Affects Localization: No
=== *History* ================================================================
Date Submitted: 2008-10-28 18:48:54 GMT+00:00
Submitted By: <User 1-5Q-544>
Status Changed Date Updated Updated By
3-Accepted 2008-12-09 00:01:13 GMT+00:00 <User 1-5Q-5151>
6-Fix Understood 2009-06-16 15:16:40 GMT+00:00 <User 1-1SURPB>
7-Fix in Progress 2009-10-23 17:29:17 GMT+00:00 <User 1-7MTUEB>
=== *Service Request* ========================================================
Impact: Significant
Functionality: Secondary
Severity: 3
Product Name: solaris
Product Release: solaris_nevada
Product Build:
Operating System: solaris_nevada
Hardware: generic
Submitted Date: 2008-10-28 18:48:54 GMT+00:00
=== *Multiple Release (MR) Cluster* - 0 ======================================
