[Beignet] [PATCH] Don't read past end of printf format string
Pan, Xiuli
xiuli.pan at intel.com
Sun Nov 1 22:20:35 PST 2015
Hi Rebecaa,
Nice catch! This is the root cause of a bug I was recently trying to fix, it will cause printf randomly fail if *(p+1) is accidently is '%'.
So could you resend a patch with a start "GBE:....." and some more description about the bug fix.
Thanks
Xiuli Pan
-----Original Message-----
From: Beignet [mailto:beignet-bounces at lists.freedesktop.org] On Behalf Of Rebecca N. Palmer
Sent: Monday, November 2, 2015 7:09 AM
To: beignet at lists.freedesktop.org
Subject: [Beignet] [PATCH] Don't read past end of printf format string
Reading p+1 when p==end is an out of bounds read.
Signed-off-by: Rebecca Palmer <rebecca_palmer at zoho.com>
---
(Found by valgrind while investigating #90472; probably not the actual cause of that crash, but still a bug.)
diff --git a/backend/src/llvm/llvm_printf_parser.cpp b/backend/src/llvm/llvm_printf_parser.cpp
index bdaed8a..f427107 100644
--- a/backend/src/llvm/llvm_printf_parser.cpp
+++ b/backend/src/llvm/llvm_printf_parser.cpp
@@ -229,7 +229,7 @@ again:
printf("string end with %%\n");
goto error;
}
- if (*(p + 1) == '%') { // %%
+ if (p + 1 < end && *(p + 1) == '%') { // %%
p += 2;
goto again;
}
_______________________________________________
Beignet mailing list
Beignet at lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/beignet
More information about the Beignet
mailing list