Bug 1539844 - apr: FTBFS in test suite with GCC 8 due to undefined behavior
Summary: apr: FTBFS in test suite with GCC 8 due to undefined behavior
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: apr
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Florian Weimer
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-01-29 17:51 UTC by Florian Weimer
Modified: 2018-01-29 18:21 UTC (History)
5 users (show)

Fixed In Version: apr-1.6.3-4.fc28
Clone Of:
Environment:
Last Closed: 2018-01-29 18:21:42 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)
Patch used for fix (643 bytes, patch)
2018-01-29 18:01 UTC, Florian Weimer 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Apache Bugzilla 62056 0 None None None 2018-01-29 18:09:46 UTC

Description Florian Weimer 2018-01-29 17:51:39 UTC 
test/teststr.c contains:

    292 /* random-ish checks for strfsize buffer overflows */
    293 static void overflow_strfsize(abts_case *tc, void *data)
    294 {
    295     apr_off_t off;
    296     char buf[7];
    297 
    298     buf[5] = '$';
    299     buf[6] = '@';
    300 
    301     for (off = -9999; off < 20000; off++) {
    302         apr_strfsize(off, buf);
    303     }
    304     for (; off < 9999999; off += 9) {
    305         apr_strfsize(off, buf);
    306     }
    307     for (; off < 999999999; off += 999) {
    308         apr_strfsize(off, buf);
    309     }
    310     for (off = 1; off < LONG_MAX && off > 0; off *= 2) {
    311         apr_strfsize(off, buf);
    312         apr_strfsize(off + 1, buf);
    313         apr_strfsize(off - 1, buf);
    314     }
    315 
    316     ABTS_ASSERT(tc, "strfsize overflowed", buf[5] == '$');
    317     ABTS_ASSERT(tc, "strfsize overflowed", buf[6] == '@');
    318 }

The loop at 310 triggers undefined behavior because off is signed, so the overflow triggers undefined behavior.
Comment 1 Florian Weimer 2018-01-29 18:01:27 UTC 
Created attachment 1387932 [details]
Patch used for fix
Note You need to log in before you can comment on or make changes to this bug.