git@vger.kernel.org list mirror (unofficial, one of many)
 help / color / mirror / code / Atom feed
* Possibly wrong assignment in config.c
@ 2021-10-13 17:05 Andrea Monaco
  2021-10-13 19:14 ` Junio C Hamano
  0 siblings, 1 reply; 2+ messages in thread
From: Andrea Monaco @ 2021-10-13 17:05 UTC (permalink / raw)
  To: git


Hello,


while building git I get the following warning:


config.c: In function 'git_config_copy_or_rename_section_in_file':
config.c:3358:17: warning: writing 1 byte into a region of size 0 [-Wstringop-overflow=]
 3358 |       output[0] = '\t';
      |       ~~~~~~~~~~^~~~~~
config.c:3264:7: note: at offset -1 to object 'buf' with size 1024 declared here
 3264 |  char buf[1024];
      |       ^~~


concerning these lines:

  output -= 1;
  output[0] = '\t';


Perhaps it has some merit.  output is previously equal to an array
buf[1024], so the assignment apparently goes outside allocated memory.



Let me know,

Andrea Monaco

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: Possibly wrong assignment in config.c
  2021-10-13 17:05 Possibly wrong assignment in config.c Andrea Monaco
@ 2021-10-13 19:14 ` Junio C Hamano
  0 siblings, 0 replies; 2+ messages in thread
From: Junio C Hamano @ 2021-10-13 19:14 UTC (permalink / raw)
  To: Andrea Monaco; +Cc: git

Andrea Monaco <andrea.monaco@autistici.org> writes:

> config.c: In function 'git_config_copy_or_rename_section_in_file':
> config.c:3358:17: warning: writing 1 byte into a region of size 0 [-Wstringop-overflow=]
>  3358 |       output[0] = '\t';
>       |       ~~~~~~~~~~^~~~~~

Hmph, with a wider context, I think the tool is pointing at the
assignment found here?

	while (fgets(buf, sizeof(buf), config_file)) {
		unsigned i;
		int length;
		int is_section = 0;
		char *output = buf;
		for (i = 0; buf[i] && isspace(buf[i]); i++)
			; /* do nothing */
		if (buf[i] == '[') {
			/* it's a section */
			int offset;
			...
			offset = section_name_match(&buf[i], old_name);
			if (offset > 0) {
				...
					output += offset + i;
					if (strlen(output) > 0) {
						...
						output -= 1;
						output[0] = '\t';
					}
				} else {
					copystr = store_create_section(new_name, &store);
				}
			}
			remove = 0;
		}

Inside the "if (buf[i] == '[')" block, i is not negative, and inside
the "if (offset > 0)" block, offset is positive.  So "output +=
offset + i", unless offset and i are so huge to cause integer
wraparound, would only be incrementing offset by some positive
integer.  So immediately after "output += offset + i", output is at
least buf+1, if not larger, and &output[-1] is at least pointing at
&buf[0], no?

Or is the tool worried about integer addition (offset+i) wrapping
around?

Or I may need a bit more caffeine, perhaps?  I am puzzled...

Thanks.




^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2021-10-13 19:14 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-10-13 17:05 Possibly wrong assignment in config.c Andrea Monaco
2021-10-13 19:14 ` Junio C Hamano

Code repositories for project(s) associated with this inbox:

	https://80x24.org/mirrors/git.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).