On Sat, May 30, 2020 at 09:11:23PM +0200, Jakub Jelinek via Gcc-patches wrote:
> There is a possible buffer overflow in the string with or without that
> change but to fix that I think it would be desirable to pass not just the
> string buffer to the function but also the length of the buffer and in the
> function verify it will not overflow. There is no reason to use sprintf
> which is fairly expensive, and could be even simplified.
>
> So, once dt_name is const char *, change that
> if (derived->attr.unlimited_polymorphic)
> sprintf (string, "_%s", dt_name);
> else if (derived->module)
> sprintf (string, "%s_%s", derived->module, dt_name);
> else if (derived->ns->proc_name)
> sprintf (string, "%s_%s", derived->ns->proc_name->name, dt_name);
> else
> sprintf (string, "_%s", dt_name);
> to something like:
> const char *first = "";
> if (!derived->attr.unlimited_polymorphic)
> {
> if (derived->module)
> first = derived->module;
> else if (derived->ns->proc_name)
> first = derived->ns->proc_name->name;
> }
> size_t len1 = strlen (first), len2 = strlen (dt_name);
> if (len1 + 1 + len2 + 1 >= len) // len being the new passed argument -
> length of the buffer pointed by string
> gfc_internal_error (...);
> memcpy (string, first, len1);
> string[len1] = '_';
> memcpy (string + len1 + 1, dt_name, len2 + 1);
Or if you prefer replace everything starting with len1 above
with snprintf (string, len, "%s_%s", first, dt_name);
which will truncate (and if you need, you could
if ((size_t) snprintf (string, len, "%s_%s", first, dt_name) >= len)
gfc_internal_error (...);
Jakub
