PR# 14586 Eget may return too small area if `extend' has to get urgent chunk

Problem Report Summary

Submitter: prestoat2000

Category: Runtime

Priority: Medium

Date: 2008/07/15

Class: Bug

Severity: Serious

Number: 14586

Release: 6.2.75753

Confidential: No

Status: Open

Responsible: manus_eiffel

Environment: Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.8.1.13) Gecko/20080328 Firefox/2.0.0.13 Solaris 10 on SPARC

Synopsis: Eget may return too small area if `extend' has to get urgent chunk

Description

Based on code inspection only, it looks like routine `eget' (in local.c) can 
return an area that is too small to hold the requested number of locals.  
There are two problems.  First if eget has to call `extend', the latter routine
has the same problem noted in bug #14585.  If it has to get an urgent chunk,
it does not adjust `l_size' properly before using it to set chunk->sk_end and
stk->st_end (though in this case, there might not be a problem).  Second,
`extend' does not check whether the urgent chunk can hold the requested 
number of items `nb_items'.  If it is too small, caller will write
past the end of the urgent chunk.  

Routine `extend' needs to verify that the urgent chunk can hold the requested number of items and if not, release the urgent chunk for use by others (have to
be careful in an MT environment) and return -1.

Note also that `ufill' and `uchunk' are not thread-safe (as noted in the
code) since they manipulate `urgent_index' which is not currently protected
by a mutex.

To Reproduce

Problem Report Interactions