Wireshark-dev: Re: [Wireshark-dev] Memory corruption on x86_64 / GCC 4.2.3
From: Jaap Keuter <jaap.keuter@xxxxxxxxx>
Date: Sun, 03 Aug 2008 11:30:11 +0200
Hi,

As I already noted in bug 2733, time_secs_to_str_buf() should be modified to handle the signed/unsigned cases properly.

Thanx,
Jaap

Alexey Neyman wrote:
Small correction: the option to GCC which fixes this problem is "-fno-tree-vrp", not "-fno-strict-overflow".

Best regards,
Alexey Neyman.

On Saturday 02 August 2008 03:04:17 Alexey Neyman wrote:
Howdy,

While testing the changes, I stumbled over canaries in epan/emem.c
signaling memory corruption. It happened during the fuzz testing
approximately once in 30 passes. The capture file triggering this bug
is attached.

The problem is with the time_secs_to_str_buf() function. If this
function is supplied with the time value of -2147483648 (0x80000000),
the "time = -time" statement has no effect - the value of 'time'
remains 0x80000000. The conditional below which checks for that
particular value ("Unable to cope with time value"), however, gets
optimized away. As a result, the values of 'secs', 'mins' and 'hours'
are negative; when these values are converted to unsigned, they
become large 10-digit positive integers, which overflow the buffer
allocated by the time_secs_to_str() function (which is only 51
bytes).

A quick fix is to add "-fno-strict-overflow" to CFLAGS; it will
prevent GCC from optimizing out this conditional. Perhaps, configure
should be modified to check if this flag is supported and use it if
it is. Perhaps, the code in time_secs_to_str_buf() needs to be
re-written to avoid such optimization.

FWIW, I am running Ubuntu Hardy Heron (8.04.1), x86_64 architecture.

Best regards,
Alexey Neyman.
_______________________________________________
Wireshark-dev mailing list
Wireshark-dev@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-dev