 |
C++Talk.NET
C++ language newsgroups
|
| View previous topic :: View next topic |
| Author |
Message |
weidongtom@gmail.com
Guest
|
 Posted: Wed May 09, 2007 9:11 am Post subject: Can this cause a program to crash? |
 |
|
Hi,
I was reading some code and I came across this function:
static char *
base_name(char *s)
{
char *bp;
char *ep;
bp = s;
ep = 0; /* Can this cause problem?*/
while (*s)
{
if (s[0] == '/' && s[1] && s[1] != '/')
bp = s + 1;
if (s > bp && s[0] == '/' && s[-1] != '/')
ep = s;
++s;
}
if (!ep)
ep = s;
*s = 0;
return bp;
}
ep = 0; Memory is not allocated to ep, so, this could write to any
memory address right? And I tried it out with:
#include <stdio.h>
int main(void){
char *b;
*b = 0;
return 0;
}
and I get a segmentation fault. So I guess that's a bug right? (This
is from the source code of hexdump-1.5). |
|
| Back to top |
|
 |
Richard Bos
Guest
|
| Posted: Wed May 09, 2007 9:11 am Post subject: Re: Can this cause a program to crash? |
|
|
"weidongtom (AT) gmail (DOT) com" <weidongtom (AT) gmail (DOT) com> wrote:
| Quote: | static char * base_name(char *s)
{
char *bp;
char *ep;
bp = s;
ep = 0; /* Can this cause problem?*/
|
No.
| Quote: | while (*s)
{
if (s[0] == '/' && s[1] && s[1] != '/')
bp = s + 1;
if (s > bp && s[0] == '/' && s[-1] != '/')
ep = s;
++s;
}
if (!ep)
ep = s;
|
However, you never actually use ep for anything, so there's probably a
bug in your algorithm. At a random first guess, here:
Also beware of passing string literals to this function. You're writing
to its argument, and you're not supposed to write to string literals.
| Quote: | ep = 0; Memory is not allocated to ep, so, this could write to any
memory address right?
|
Wrong. *ep is not ep. You're writing a null pointer value to ep, which
is legal. Writing to *ep would be undefined behaviour, but you're not
doing that.
| Quote: | And I tried it out with:
#include <stdio.h
int main(void){
char *b;
*b = 0;
|
Here, you do write to *b, and not to b. So yes, this one is indeed
undefined behaviour, and could easily segfault or trample over the wrong
data.
Richard |
|
| Back to top |
|
|
CBFalconer
Guest
|
| Posted: Thu May 10, 2007 9:11 am Post subject: Re: Can this cause a program to crash? |
|
|
Keith Thompson wrote:
| Quote: | Flash Gordon <spam@flash-gordon.me.uk> writes:
CBFalconer wrote, On 09/05/07 15:16:
"weidongtom (AT) gmail (DOT) com" wrote:
I was reading some code and I came across this function:
function reformatted to be visible in one page. Why double
linefeeds?
static char *
base_name(char *s) {
char *bp;
char *ep;
bp = s;
ep = 0; /* Can this cause problem? */ /* NO. NULL better */
while (*s) {
if (s[0] == '/' && s[1] && s[1] != '/') bp = s + 1;
if (s > bp && s[0] == '/' && s[-1] != '/') ep = s;
++s;
}
if (!ep) ep = s;
*s = 0;
return bp;
}
Seems valid. Convoluted, but valid. Mishandles "\n".
snip
It is probably not intended to handle \n or non-printable characters,
but only sane file names. This assessment is based on some off-topic
knowledge.
The function could be simplified considerably by using the strrchr()
function.
I'm not sure what Chuck means when he says that it mishandles "\n".
As far as I can tell, it simply treats it like any other character;
only '/' and '\0' are treated specially. Based on the same off-topic
knowledge that Flash used, that's exactly the right thing to do.
|
Woops - on rereading I am confusing '\' and '/'.
--
<http://www.cs.auckland.ac.nz/~pgut001/pubs/vista_cost.txt>
<http://www.securityfocus.com/columnists/423>
<http://www.aaxnet.com/editor/edit043.html>
<http://kadaitcha.cx/vista/dogsbreakfast/index.html>
cbfalconer at maineline dot net
--
Posted via a free Usenet account from http://www.teranews.com |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
