| Karim BELABAS on Wed, 20 Jan 1999 13:07:31 +0100 (MET) |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| Re: buffer overflow |
[Igor:]
> this is my .gprc file:
> ------------------------------------------------------------------------
> read "/home/igor/.libgp"
> ------------------------------------------------------------------------
>
> this is my .libgp file:
> ------------------------------------------------------------------------
> res=-23708160*x^9 - 225566208*x^8 - 1131314688*x^7 - 3968372736*x^6 -\
> 7276863744*x^5 - 1112932224*x^4 + 22694392512*x^3 + +49279399488*x^2 +\
> 50845741200*x + 22483386864;
> ------------------------------------------------------------------------
>
> this is what I do:
> % gp -q
> ? \r
> ? \r
> *** buffer overflow in get_sep.
>
> I traced it down to the fact that GET_SEP_SIZE is defined to be 128,
> so the error occurs when a line in the input file is longer than 128.
Off by 1 error: get_set was reading another string than the one it was sent
(it skipped the ending '\0'). get_sep2 was doing the same thing. [I'm also
cleaning up the code a little bit.]
GET_SEP_SIZE is only used as maximum length for tokens input interactively
(file names mostly...). It has nothing to do with the input files themselves.
Karim.
*** src/gp/gp.c.orig Mon Jan 18 13:25:40 1999
--- src/gp/gp.c Wed Jan 20 13:00:20 1999
***************
*** 143,151 ****
for(;;)
{
! char c = *s++ = *t++;
! if (c == '"' && (outer || s[-2] != '\\')) outer = !outer;
! if (!*t || (outer && separe(*t))) { *s=0; return buf; }
if (s == lim) err(talker,"buffer overflow in get_sep");
}
}
--- 143,158 ----
for(;;)
{
! switch(*s++ = *t++)
! {
! case '"':
! if (outer || s[-2] != '\\') outer = !outer;
! break;
! case '\0':
! return buf;
! default:
! if (outer && separe(*t)) { *s=0; return buf; }
! }
if (s == lim) err(talker,"buffer overflow in get_sep");
}
}
***************
*** 159,167 ****
for(;;)
{
! if (*s++ == '"' && (outer || s[-2] != '\\')) outer = !outer;
! if (!*s) return 0;
! if (outer && separe(*s)) { *s=1; return 0; }
}
}
--- 166,181 ----
for(;;)
{
! switch (*s++)
! {
! case '"':
! if (outer || s[-2] != '\\') outer = !outer;
! break;
! case '\0':
! return 0;
! default:
! if (outer && separe(*s)) { *s=0; return 1; }
! }
}
}
--
Karim Belabas email: Karim.Belabas@math.u-psud.fr
Dep. de Mathematiques, Bat. 425
Universite Paris-Sud Tel: (00 33) 1 69 15 57 48
F-91405 Orsay (France) Fax: (00 33) 1 69 15 60 19
--
PARI/GP Home Page: http://pari.home.ml.org