rpms / devtoolset-3-systemtap

Clone
Source Code
GIT

Blame SOURCES/rhbz1153673.patch

c7
  1.   fab3121dad59aca3d9d129cf159f7db00df59b16
  2.   SOURCES
  3.   rhbz1153673.patch
Blob History Raw
fab312 
commit a1a230af2ea557ed7a9fcd9485ac16278dbdf778
fab312 
Author: Frank Ch. Eigler <fche@redhat.com>
fab312 
Date:   Thu Oct 16 16:25:55 2014 -0400
fab312
fab312 
    RHBZ1153673: speculatively correct segv in dead_control_remover
fab312
fab312 
    It was reported that ::visit_block was occasionally called with
fab312 
    a 0-size input vs[].  That leads to an array overflow, as the
fab312 
    for condition becomes apprx. (i < UINT_MAX).
fab312
fab312 
       for (size_t i = 0; i < vs.size() - 1; ++i)
fab312 
         do_something_with (vs[i]);
fab312
fab312 
    Let's reject 0-size vectors right away.
fab312
fab312 
diff --git a/elaborate.cxx b/elaborate.cxx
fab312 
index fa90fe7..35109ab 100644
fab312 
--- a/elaborate.cxx
fab312 
+++ b/elaborate.cxx
fab312 
@@ -4041,6 +4041,8 @@ struct dead_control_remover: public traversing_visitor
fab312 
 void dead_control_remover::visit_block (block* b)
fab312 
 {
fab312 
   vector<statement*>& vs = b->statements;
fab312 
+  if (vs.size() == 0) /* else (size_t) size()-1 => very big */
fab312 
+    return;
fab312 
   for (size_t i = 0; i < vs.size() - 1; ++i)
fab312 
     {
fab312 
       vs[i]->visit (this);

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation