80760 – array one byte too short

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 80760 - array one byte too short

Summary: array one byte too short

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Linux
Classification:	Retired
Component:	mc
Sub Component:
Version:	8.0
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Jakub Jelinek
QA Contact:	Jay Turner
Docs Contact:
URL:
Whiteboard:	triage\|leonardjo\|closed\|currentrelease
Depends On:
Blocks:	79579 CambridgeTarget
TreeView+	depends on / blocked

Reported:	2002-12-30 23:43 UTC by d.binderman
Modified:	2015-01-08 00:02 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2004-03-31 16:20:44 UTC
Embargoed:

Attachments	(Terms of Use)

Description d.binderman 2002-12-30 23:43:41 UTC

From Bugzilla Helper:
User-Agent: Mozilla/4.6 [en-gb]C-CCK-MCD NetscapeOnline.co.uk  (Win98; I)

Description of problem:

Hello there,

I have just tried to compile mc-4.5.55-12 from Redhat 8.0

Here are some of the messages the compiler produces

cc: Info: cpio.c, line 303: In this statement, an array is being accessed outside the bounds specified for the array type. (subscrbounds)
cc: Info: cpio.c, line 351: In this statement, an array is being accessed outside the bounds specified for the array type. (subscrbounds)

Here is an untested patch to shut up the compiler.

./vfs/cpio.c.old ./vfs/cpio.c
*** ./vfs/cpio.c.old	Thu Dec 19 20:19:28 2002
--- ./vfs/cpio.c	Thu Dec 19 20:33:32 2002
***************
*** 293,299 ****
  {
      struct new_cpio_header hd;
      struct stat stat;
!     char *buf[HEAD_LENGTH + 1];
      int len;
      char *name;
  
--- 293,299 ----
  {
      struct new_cpio_header hd;
      struct stat stat;
!     char *buf[HEAD_LENGTH + 2];
      int len;
      char *name;
  
***************
*** 341,347 ****
  {
      struct new_cpio_header hd;
      struct stat stat;
!     char buf[HEAD_LENGTH + 1];
      int len;
      char *name;
  
--- 341,347 ----
  {
      struct new_cpio_header hd;
      struct stat stat;
!     char buf[HEAD_LENGTH + 2];
      int len;
      char *name;
  


Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. compile with any  C compiler that checks array indices, for example Compaq C.
2.
3.
    

Additional info:

Comment 1 Andrew V. Samoilov 2004-02-18 07:57:04 UTC

Fixed in 4.6.0 as far as many others possible buffer overflows.

Comment 2 Leonard den Ottolander 2004-03-31 16:20:44 UTC

The problem is not the buffer length but the incorrect indexing used
in the assignments. Also in the first example a handle instead of a
pointer is used.

Verified that this is fixed in 4.6.0. Closing CURRENTRELEASE.

Note You need to log in before you can comment on or make changes to this bug.