Wireshark-dev: Re: [Wireshark-dev] Memory corruption on x86_64 / GCC 4.2.3
From: Alexey Neyman <avn@xxxxxxxxxxxxxxx>
Date: Sat, 2 Aug 2008 18:31:40 -0700
Small correction: the option to GCC which fixes this problem 
is "-fno-tree-vrp", not "-fno-strict-overflow".

Best regards,
Alexey Neyman.

On Saturday 02 August 2008 03:04:17 Alexey Neyman wrote:
> Howdy,
>
> While testing the changes, I stumbled over canaries in epan/emem.c
> signaling memory corruption. It happened during the fuzz testing
> approximately once in 30 passes. The capture file triggering this bug
> is attached.
>
> The problem is with the time_secs_to_str_buf() function. If this
> function is supplied with the time value of -2147483648 (0x80000000),
> the "time = -time" statement has no effect - the value of 'time'
> remains 0x80000000. The conditional below which checks for that
> particular value ("Unable to cope with time value"), however, gets
> optimized away. As a result, the values of 'secs', 'mins' and 'hours'
> are negative; when these values are converted to unsigned, they
> become large 10-digit positive integers, which overflow the buffer
> allocated by the time_secs_to_str() function (which is only 51
> bytes).
>
> A quick fix is to add "-fno-strict-overflow" to CFLAGS; it will
> prevent GCC from optimizing out this conditional. Perhaps, configure
> should be modified to check if this flag is supported and use it if
> it is. Perhaps, the code in time_secs_to_str_buf() needs to be
> re-written to avoid such optimization.
>
> FWIW, I am running Ubuntu Hardy Heron (8.04.1), x86_64 architecture.
>
> Best regards,
> Alexey Neyman.