#1559 closed defect (fixed)

Buffer Overrun in mon-editor.c

Reported by: Joel Sherrill Owned by: Chris Johns
Priority: normal Milestone: 4.11
Component: unspecified Version: 4.10
Severity: normal Keywords:
Cc: Blocked By:
Blocking:

Description

Coverity CID 16 reports that there is a buffer overrun. The details are below.

===========================

At conditional (15): "default" taking true path

422 default:

At conditional (16): "pos < 74" taking true path
At conditional (17): "c >= 32" taking true path
At conditional (18): "c <= 122" taking true path

423 if ((pos < (RTEMS_COMMAND_BUFFER_SIZE - 1)) &&
424 (c >= ' ') && (c <= 'z'))
425 {
426 int end;
427 end = strlen (buffer);

At conditional (19): "pos < end" taking true path
At conditional (20): "end < 75" taking true path

428 if ((pos < end) && (end < RTEMS_COMMAND_BUFFER_SIZE))
429 {
430 int ch, bs;

Event assignment: Assigning "(end + 1)" to "ch"
Also see events: [overrun-local]
At conditional (21): "ch > pos" taking true path

431 for (ch = end + 1; ch > pos; ch--)

Event overrun-local: Overrun of static array "buffer" of size 75 at position 75 with index variable "ch"
Also see events: [assignment]

432 buffer[ch] = buffer[ch - 1];

Attachments (1)

pr1559.diff (752 bytes) - added by Joel Sherrill on Jun 14, 2010 at 3:12:36 PM.
Proposed patch

Download all attachments as: .zip

Change History (3)

Changed on Jun 14, 2010 at 3:12:36 PM by Joel Sherrill

Attachment: pr1559.diff added

Proposed patch

comment:1 Changed on Jun 21, 2010 at 3:26:04 PM by Joel Sherrill

Resolution: fixed
Status: newclosed

Patch committed to 4.10 and CVS head.

comment:2 Changed on Oct 10, 2017 at 6:35:44 AM by Sebastian Huber

Component: miscunspecified
Note: See TracTickets for help on using tickets.