Gitweb links: ...log http://git.netsurf-browser.org/libparserutils.git/shortlog/3b3385ca09c9ca... ...commit http://git.netsurf-browser.org/libparserutils.git/commit/3b3385ca09c9cab4... ...tree http://git.netsurf-browser.org/libparserutils.git/tree/3b3385ca09c9cab412... The branch, master has been updated via 3b3385ca09c9cab412dd9213f7f018309b438140 (commit) via 5f7fe78d1119fd068e8c932bb0ea321b31088787 (commit) from 93c721d6edc90e6f06eff8701824aa0d9ed6da16 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commitdiff http://git.netsurf-browser.org/libparserutils.git/commit/?id=3b3385ca09c9... commit 3b3385ca09c9cab412dd9213f7f018309b438140 Author: Michael Drake <tlsa(a)netsurf-browser.org&gt; Commit: Michael Drake <tlsa(a)netsurf-browser.org&gt; Fix memmove beyond buffer length in parserutlis_buffer_discard. Thanks to Elie Roudninski. diff --git a/src/utils/buffer.c b/src/utils/buffer.c index 5a2a7ce..716e67c 100644 --- a/src/utils/buffer.c +++ b/src/utils/buffer.c @@ -134,7 +134,7 @@ parserutils_error parserutils_buffer_discard(parserutils_buffer *buffer, return PARSERUTILS_BADPARM; memmove(buffer->data + offset, buffer->data + offset + len, - buffer->length - len); + buffer->length - (len + offset)); buffer->length -= len; commitdiff http://git.netsurf-browser.org/libparserutils.git/commit/?id=5f7fe78d1119... commit 5f7fe78d1119fd068e8c932bb0ea321b31088787 Author: Michael Drake <tlsa(a)netsurf-browser.org&gt; Commit: Michael Drake <tlsa(a)netsurf-browser.org&gt; Add test for memmove beyond buffer length, in parserutils_buffer_discard. diff --git a/test/regression/INDEX b/test/regression/INDEX index f6de6cf..63e1a3b 100644 --- a/test/regression/INDEX +++ b/test/regression/INDEX @@ -5,3 +5,4 @@ filter-segv Segfault in input filtering stream-nomem Inputstream buffer expansion filter-badenc-segv Segfault on resetting bad encoding in filter +buffer-discard Memmove beyond data length diff --git a/test/regression/Makefile b/test/regression/Makefile index c83de62..cf6acee 100644 --- a/test/regression/Makefile +++ b/test/regression/Makefile @@ -1,6 +1,8 @@ # Tests DIR_TEST_ITEMS := filter-segv:filter-segv.c \ - stream-nomem:stream-nomem.c filter-badenc-segv:filter-badenc-segv.c + stream-nomem:stream-nomem.c \ + filter-badenc-segv:filter-badenc-segv.c \ + buffer-discard:buffer-discard.c CFLAGS := $(CFLAGS) -I$(CURDIR)/test diff --git a/test/regression/buffer-discard.c b/test/regression/buffer-discard.c new file mode 100644 index 0000000..d3eefb8 --- /dev/null +++ b/test/regression/buffer-discard.c @@ -0,0 +1,67 @@ +#include <stdio.h> +#include <string.h> + +#include <parserutils/parserutils.h> +#include <parserutils/utils/buffer.h> + +#include "utils/utils.h" + +#include "testutils.h" + +#define BUFF_LEN 2000 + +int main(int argc, char **argv) +{ + uint8_t data[BUFF_LEN]; + parserutils_buffer *buf; + int i; + + UNUSED(argc); + UNUSED(argv); + + assert(parserutils_buffer_create(&buf) == PARSERUTILS_OK); + + /* Populate the data with '4's */ + for (i = 0; i < BUFF_LEN; i++) + data[i] = '4'; + + assert(parserutils_buffer_append(buf, data, BUFF_LEN) == + PARSERUTILS_OK); + + /* Double the size, appending 'c's */ + for (i = 0; i < BUFF_LEN; i++) + data[i] = 'c'; + + assert(parserutils_buffer_append(buf, data, BUFF_LEN) == + PARSERUTILS_OK); + assert(buf->length == 2 * BUFF_LEN); + + /* Now reduce the length by half */ + /* Buffer length is all '4's now */ + buf->length = BUFF_LEN; + + /* Now discard half of the 4s from the middle of the buffer */ + assert(parserutils_buffer_discard(buf, BUFF_LEN / 4, BUFF_LEN / 2) == + PARSERUTILS_OK); + + /* Now check that the length is what we expect */ + assert(buf->length == BUFF_LEN / 2); + + /* Now check that the buffer contains what we expect */ + for (i = 0; i < BUFF_LEN / 2; i++) + assert(buf->data[i] == '4'); + + /* Now check that the space we allocated beyond the buffer length is + * as we expect, and not overwritten with 'c', which should be beyond + * what the buffer_ code is allowed to move. */ + for (i = BUFF_LEN / 2; i < BUFF_LEN; i++) + assert(buf->data[i] != 'c'); + + + assert(parserutils_buffer_destroy(buf) == PARSERUTILS_OK); + + printf("PASS\n"); + + return 0; +} + ----------------------------------------------------------------------- Summary of changes: src/utils/buffer.c | 2 +- test/regression/INDEX | 1 + test/regression/Makefile | 4 ++- test/regression/buffer-discard.c | 67 ++++++++++++++++++++++++++++++++++++++ 4 files changed, 72 insertions(+), 2 deletions(-) create mode 100644 test/regression/buffer-discard.c diff --git a/src/utils/buffer.c b/src/utils/buffer.c index 5a2a7ce..716e67c 100644 --- a/src/utils/buffer.c +++ b/src/utils/buffer.c @@ -134,7 +134,7 @@ parserutils_error parserutils_buffer_discard(parserutils_buffer *buffer, return PARSERUTILS_BADPARM; memmove(buffer->data + offset, buffer->data + offset + len, - buffer->length - len); + buffer->length - (len + offset)); buffer->length -= len; diff --git a/test/regression/INDEX b/test/regression/INDEX index f6de6cf..63e1a3b 100644 --- a/test/regression/INDEX +++ b/test/regression/INDEX @@ -5,3 +5,4 @@ filter-segv Segfault in input filtering stream-nomem Inputstream buffer expansion filter-badenc-segv Segfault on resetting bad encoding in filter +buffer-discard Memmove beyond data length diff --git a/test/regression/Makefile b/test/regression/Makefile index c83de62..cf6acee 100644 --- a/test/regression/Makefile +++ b/test/regression/Makefile @@ -1,6 +1,8 @@ # Tests DIR_TEST_ITEMS := filter-segv:filter-segv.c \ - stream-nomem:stream-nomem.c filter-badenc-segv:filter-badenc-segv.c + stream-nomem:stream-nomem.c \ + filter-badenc-segv:filter-badenc-segv.c \ + buffer-discard:buffer-discard.c CFLAGS := $(CFLAGS) -I$(CURDIR)/test diff --git a/test/regression/buffer-discard.c b/test/regression/buffer-discard.c new file mode 100644 index 0000000..d3eefb8 --- /dev/null +++ b/test/regression/buffer-discard.c @@ -0,0 +1,67 @@ +#include <stdio.h> +#include <string.h> + +#include <parserutils/parserutils.h> +#include <parserutils/utils/buffer.h> + +#include "utils/utils.h" + +#include "testutils.h" + +#define BUFF_LEN 2000 + +int main(int argc, char **argv) +{ + uint8_t data[BUFF_LEN]; + parserutils_buffer *buf; + int i; + + UNUSED(argc); + UNUSED(argv); + + assert(parserutils_buffer_create(&buf) == PARSERUTILS_OK); + + /* Populate the data with '4's */ + for (i = 0; i < BUFF_LEN; i++) + data[i] = '4'; + + assert(parserutils_buffer_append(buf, data, BUFF_LEN) == + PARSERUTILS_OK); + + /* Double the size, appending 'c's */ + for (i = 0; i < BUFF_LEN; i++) + data[i] = 'c'; + + assert(parserutils_buffer_append(buf, data, BUFF_LEN) == + PARSERUTILS_OK); + assert(buf->length == 2 * BUFF_LEN); + + /* Now reduce the length by half */ + /* Buffer length is all '4's now */ + buf->length = BUFF_LEN; + + /* Now discard half of the 4s from the middle of the buffer */ + assert(parserutils_buffer_discard(buf, BUFF_LEN / 4, BUFF_LEN / 2) == + PARSERUTILS_OK); + + /* Now check that the length is what we expect */ + assert(buf->length == BUFF_LEN / 2); + + /* Now check that the buffer contains what we expect */ + for (i = 0; i < BUFF_LEN / 2; i++) + assert(buf->data[i] == '4'); + + /* Now check that the space we allocated beyond the buffer length is + * as we expect, and not overwritten with 'c', which should be beyond + * what the buffer_ code is allowed to move. */ + for (i = BUFF_LEN / 2; i < BUFF_LEN; i++) + assert(buf->data[i] != 'c'); + + + assert(parserutils_buffer_destroy(buf) == PARSERUTILS_OK); + + printf("PASS\n"); + + return 0; +} + -- Lexer/parser utility functions