Red Hat Bugzilla – Bug 114996
using bad data as a pointer
Last modified: 2007-11-30 17:10:36 EST
Description of problem:
I just tried to compile package libwvstreams-3.70-12 from Redhat
Fedora Core 1.
The compiler said
wvstring.cc(88): warning #592: variable "buf" is used before its value
The source code is
WvStringBuf *buf = (WvStringBuf *)malloc(WVSTRINGBUF_SIZE(buf)
+ size + WVSTRING_EXTRA);
buf is clearly used before it's value has been assigned.
I think we've been here before on this one.
Further investigation of macro WVSTRINGBUF_SIZE suggests
#define WVSTRINGBUF_SIZE(s) (s->data - (char *)s)
Accessing uninitialised data is guaranteed trouble.
Using uninitialised data as a valid pointer value is guaranteed
There could be a core dump if buf has a bad value.
Suggest init buf before first use.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
The expression (s->data - (char *)s) will always give the same result,
with any value of s, and regardless the memory s is pointing to. The
memory where s is pointing to, is not accessed during the evaluation
of the expression. We can modify the code to avoid the compiler
warning, or close this bug as not-a-bug.
>will always give the same result, with any value of s,
>and regardless the memory s is pointing to.
I think we are going round in circles on this one.
I'll try to be more explicit.
Where s contains rubbish, it could point anywhere, resulting
in a segmentation violation, have a
not legal pointer value (on some machines pointers have to be a
multiple of four).
>The memory where s is pointing to, is not accessed during the
>evaluation of the expression.
>(s->data - (char *)s)
The evaluation of s->data requies s to be read. In doing so,
a segmentation violation could occur.
#define WVSTRINGBUF_SIZE(s) (offsetof(struct WvStringBuf, data))