Bug 1539844

Summary: apr: FTBFS in test suite with GCC 8 due to undefined behavior
Product: [Fedora] Fedora Reporter: Florian Weimer <fweimer>
Component: aprAssignee: Florian Weimer <fweimer>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: bojan, jkaluza, jorton, luhliari, oliver
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: apr-1.6.3-4.fc28 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-01-29 18:21:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Patch used for fix none

Description Florian Weimer 2018-01-29 17:51:39 UTC 
test/teststr.c contains:

    292 /* random-ish checks for strfsize buffer overflows */
    293 static void overflow_strfsize(abts_case *tc, void *data)
    294 {
    295     apr_off_t off;
    296     char buf[7];
    297 
    298     buf[5] = '$';
    299     buf[6] = '@';
    300 
    301     for (off = -9999; off < 20000; off++) {
    302         apr_strfsize(off, buf);
    303     }
    304     for (; off < 9999999; off += 9) {
    305         apr_strfsize(off, buf);
    306     }
    307     for (; off < 999999999; off += 999) {
    308         apr_strfsize(off, buf);
    309     }
    310     for (off = 1; off < LONG_MAX && off > 0; off *= 2) {
    311         apr_strfsize(off, buf);
    312         apr_strfsize(off + 1, buf);
    313         apr_strfsize(off - 1, buf);
    314     }
    315 
    316     ABTS_ASSERT(tc, "strfsize overflowed", buf[5] == '$');
    317     ABTS_ASSERT(tc, "strfsize overflowed", buf[6] == '@');
    318 }

The loop at 310 triggers undefined behavior because off is signed, so the overflow triggers undefined behavior.
Comment 1 Florian Weimer 2018-01-29 18:01:27 UTC 
Created attachment 1387932 [details]
Patch used for fix