cf2696efa0
<http://clang.llvm.org/docs/UndefinedBehaviorSanitizer.html#available-checks> (as of recent LLVM trunk towards LLVM 10) states: "-fsanitize=object-size: An attempt to potentially use bytes which the optimizer can determine are not part of the object being accessed. This will also detect some types of undefined behavior that may not directly access memory, but are provably incorrect given the size of the objects involved, such as invalid downcasts and calling methods on invalid pointers. These checks are made in terms of __builtin_object_size, and consequently may be able to detect more problems at higher optimization levels." A `make check screenshot` with --enabled-optimized runs into two such issues that were not diagnosed with --disable-optimized, in both cases because a struct with an "idiomatic trailing dynamic array member" (statically declared to be an array of size 1) is allocated without any space for that array member, as the dynamic array size is 0 in the specific case: * For > [CUT] sc_ucalc > cppu/source/uno/copy.hxx:46:19: runtime error: member access within address 0x6020001aaa70 with insufficient space for an object of type 'uno_Sequence' (aka '_sal_Sequence') > 0x6020001aaa70: note: pointer points here > 2b 00 80 6a be be be be be be be be 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > ^ > #0 in cppu::allocSeq(int, int) at cppu/source/uno/copy.hxx:46:19 (instdir/program/libuno_cppu.so.3 +0x41f03f) > #1 in uno_type_sequence_reference2One at cppu/source/uno/sequence.cxx:813:20 (instdir/program/libuno_cppu.so.3 +0x41f03f) [...] the call to pNew = allocSeq( 0, 0 ); in uno_type_sequence_reference2One is inlined, so sal_uInt32 nSize = calcSeqMemSize( nElementSize, nElements ); in allocSeq is known to be too small. * For > testSignatureLineODF::TestBody finished in: 2044ms > engine-gpg.c:302:6: runtime error: member access within address 0x604001f24f10 with insufficient space for an object of type 'struct arg_and_data_s' > 0x604001f24f10: note: pointer points here > 6e 01 00 26 be be be be be be be be be be be be be be be be be be be be be be be be be be be be > ^ > #0 in add_data at workdir/UnpackedTarball/gpgmepp/src/engine-gpg.c:302:6 (instdir/program/libgpgme.so.11 +0x120c2b) [...] > make[1]: *** [solenv/gbuild/CppunitTest.mk:114: workdir/CppunitTest/xmlsecurity_signing.test] Error 1 the a = malloc (sizeof *a - 1); is apparently detected to be too small only with optimization enabled. In both cases, the solution is to operate on the too-small dynamically allocated object via a reinterpret_cast'ed pointer to some newly introduced "struct prefix" type. Change-Id: Ie814db1d00a439bb9189474b91d729e538e81984 Reviewed-on: https://gerrit.libreoffice.org/78548 Tested-by: Jenkins Reviewed-by: Stephan Bergmann <sbergman@redhat.com>
52 lines
1 KiB
Diff
52 lines
1 KiB
Diff
--- src/engine-gpg.c
|
|
+++ src/engine-gpg.c
|
|
@@ -60,6 +60,15 @@
|
|
building command line to this location. */
|
|
char arg[1]; /* Used if data above is not used. */
|
|
};
|
|
+struct arg_without_data_s
|
|
+{
|
|
+ struct arg_and_data_s *next;
|
|
+ gpgme_data_t data;
|
|
+ int inbound;
|
|
+ int dup_to;
|
|
+ int print_fd;
|
|
+ int *arg_locp;
|
|
+};
|
|
|
|
|
|
struct fd_data_map_s
|
|
@@ -299,23 +308,24 @@
|
|
a = malloc (sizeof *a - 1);
|
|
if (!a)
|
|
return gpg_error_from_syserror ();
|
|
- a->next = NULL;
|
|
- a->data = data;
|
|
- a->inbound = inbound;
|
|
- a->arg_locp = NULL;
|
|
+ struct arg_without_data_s *a2 = (struct arg_without_data_s *)a;
|
|
+ a2->next = NULL;
|
|
+ a2->data = data;
|
|
+ a2->inbound = inbound;
|
|
+ a2->arg_locp = NULL;
|
|
|
|
if (dup_to == -2)
|
|
{
|
|
- a->print_fd = 1;
|
|
- a->dup_to = -1;
|
|
+ a2->print_fd = 1;
|
|
+ a2->dup_to = -1;
|
|
}
|
|
else
|
|
{
|
|
- a->print_fd = 0;
|
|
- a->dup_to = dup_to;
|
|
+ a2->print_fd = 0;
|
|
+ a2->dup_to = dup_to;
|
|
}
|
|
*gpg->argtail = a;
|
|
- gpg->argtail = &a->next;
|
|
+ gpg->argtail = &a2->next;
|
|
return 0;
|
|
}
|
|
|