PR# 14477 Buffer overflow when printing object with long attribute name

Problem Report Summary

Submitter: prestoat2000

Category: Runtime

Priority: Medium

Date: 2008/06/16

Class: Bug

Severity: Serious

Number: 14477

Release: 6.2.73753

Confidential: No

Status: Closed

Responsible:

Environment: Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.8.1.13) Gecko/20080328 Firefox/2.0.0.13 Solaris 10 on SPARC

Synopsis: Buffer overflow when printing object with long attribute name

Description

Trying to print `Current' when the current object has an attribute with a very
long name (or class itself has a long name) causes a buffer overflow and a
run-time panic, due to static size TAG_SIZE (currently 512) of `buffero',
which isn't big enough for all cases.  Either the size needs to be increased
to accomodate all possible names (plus anything extra put into `buffero' by
sprintf calls) or you can switch to use dynamically allocated memory and 
increase size when necessary.

To Reproduce

Freeze with attached classes and config file.
Execute system with arguments "1 1" (1 worker, 1 iteration).
System execution dies with a panic.

This example is multi-threaded, but the problem exists in single-threaded
systems as well (though it is easier to demonstrate with a test in an MT system).

Problem Report Interactions

From:manus_eiffel Date:2009/04/01 Status: Closed Download

This is now fixed. We never use the %s qualifier now for writing strings which is where the buffer overflow would occur.

Fixed in rev#78019

From:prestoat2000 Date:2009/03/26 Download

Added eweasel test exec310 for this bug.

From:prestoat2000 Date:2008/06/16 Download

Attachments for problem report #14477

Attachment: test.e Size:594

Attachment: worker.e Size:2533

Attachment: test.ecf Size:1238