Bug 178772 - Off-by-one mistake in temp filename creation
Summary: Off-by-one mistake in temp filename creation
Status: CLOSED DUPLICATE of bug 174016
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: dos2unix   
(Show other bugs)
Version: 4.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Tim Waugh
QA Contact: Ben Levenson
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-01-24 09:36 UTC by Bastien Nocera
Modified: 2007-11-30 22:07 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-01-24 09:58:02 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
dos2unix-off-by-one.patch (630 bytes, patch)
2006-01-24 09:36 UTC, Bastien Nocera
no flags Details | Diff

Description Bastien Nocera 2006-01-24 09:36:55 UTC
dos2unix-3.1-21

Forgot to include the null-terminator in the temp filename length calculation.
Patch attached.

==19570== Invalid write of size 1
==19570==    at 0x9BC15B: _IO_vsprintf_internal (in /lib/tls/libc-2.3.4.so)
==19570==    by 0x9A94CA: _IO_sprintf (in /lib/tls/libc-2.3.4.so)
==19570==    by 0x8048E7F: MakeTempFileFrom (dos2unix.c:289)
==19570==    by 0x8049277: ConvertDosToUnixOldFile (dos2unix.c:409)
==19570==  Address 0x1B91F0BE is 0 bytes after a block of size 14 alloc'd
==19570==    at 0x1B904984: malloc (vg_replace_malloc.c:131)
==19570==    by 0x8048E5A: MakeTempFileFrom (dos2unix.c:287)
==19570==    by 0x8049277: ConvertDosToUnixOldFile (dos2unix.c:409)
==19570==    by 0x8049552: main (dos2unix.c:601)
==19570==
==19570== Conditional jump or move depends on uninitialised value(s)
==19570==    at 0x9CFEC7: strlen (in /lib/tls/libc-2.3.4.so)
==19570==    by 0xA27902: mkstemp (in /lib/tls/libc-2.3.4.so)
==19570==    by 0x8048E94: MakeTempFileFrom (dos2unix.c:294)
==19570==    by 0x8049277: ConvertDosToUnixOldFile (dos2unix.c:409)
==19570==
==19570== Invalid read of size 1
==19570==    at 0x9B7E96: __gen_tempname (in /lib/tls/libc-2.3.4.so)
==19570==    by 0xA27902: mkstemp (in /lib/tls/libc-2.3.4.so)
==19570==    by 0x8048E94: MakeTempFileFrom (dos2unix.c:294)
==19570==    by 0x8049277: ConvertDosToUnixOldFile (dos2unix.c:409)
==19570==  Address 0x1B91F0BE is 0 bytes after a block of size 14 alloc'd
==19570==    at 0x1B904984: malloc (vg_replace_malloc.c:131)
==19570==    by 0x8048E5A: MakeTempFileFrom (dos2unix.c:287)
==19570==    by 0x8049277: ConvertDosToUnixOldFile (dos2unix.c:409)
==19570==    by 0x8049552: main (dos2unix.c:601)
==19570==
==19570== Syscall param open(pathname) contains uninitialised or unaddressable
byte(s)
==19570==    at 0xA1F673: __open_nocancel (in /lib/tls/libc-2.3.4.so)
==19570==    by 0xA27902: mkstemp (in /lib/tls/libc-2.3.4.so)
==19570==    by 0x8048E94: MakeTempFileFrom (dos2unix.c:294)
==19570==    by 0x8049277: ConvertDosToUnixOldFile (dos2unix.c:409)
==19570==  Address 0x1B91F0BE is 0 bytes after a block of size 14 alloc'd
==19570==    at 0x1B904984: malloc (vg_replace_malloc.c:131)
==19570==    by 0x8048E5A: MakeTempFileFrom (dos2unix.c:287)
==19570==    by 0x8049277: ConvertDosToUnixOldFile (dos2unix.c:409)
==19570==    by 0x8049552: main (dos2unix.c:601)
==19570==
==19570== Syscall param rename(oldpath) contains uninitialised or unaddressable
byte(s)
==19570==    at 0x9B83E6: rename (in /lib/tls/libc-2.3.4.so)
==19570==    by 0x8049552: main (dos2unix.c:601)
==19570==  Address 0x1B91F0BE is 0 bytes after a block of size 14 alloc'd
==19570==    at 0x1B904984: malloc (vg_replace_malloc.c:131)
==19570==    by 0x8048E5A: MakeTempFileFrom (dos2unix.c:287)
==19570==    by 0x8049277: ConvertDosToUnixOldFile (dos2unix.c:409)
==19570==    by 0x8049552: main (dos2unix.c:601)

Comment 1 Bastien Nocera 2006-01-24 09:36:55 UTC
Created attachment 123606 [details]
dos2unix-off-by-one.patch

Comment 2 Tim Waugh 2006-01-24 09:58:02 UTC

*** This bug has been marked as a duplicate of 174016 ***


Note You need to log in before you can comment on or make changes to this bug.