[PATCH] buffer overflow checking for string functions

Francois Gouget fgouget at free.fr
Fri Sep 5 06:01:05 CDT 2008 

On Thu, 4 Sep 2008, Marcus Meissner wrote:
[...]
> +#if defined(__GNUC__) && (__GNUC__ < 4)
> +# define __builtin_object_size(x,y) -1
> +#endif

Shouldn't this be:

   #if !defined(__GNUC__) || (__GNUC__ < 4)

To preserve compatibility with non-GNU compilers.


> +static inline INT
> +WINAPI MultiByteToWideChar_ichk(
> +	UINT cp,DWORD flags,
> +	LPCSTR src,INT srclen,INT srcbuflen,
> +	LPWSTR dst,INT dstlen,INT dstbuflen
> +) {
> +	if ((srclen != -1) && (srcbuflen != -1) && (srcbuflen < srclen))
> +		RaiseException(0xC0000409,0x01,0,NULL);

It would be nice to issue a trace clarifying the cause of the exception 
before raising it. Maybe something like this:

   TRACE("used %d as the size when >= %d is needed for the builtin object\n", ...);

Sending it to the seh channel would be best.

[...]
> +#define MultiByteToWideChar(cp,flags,src,srclen,dst,dstlen)	\
> +	MultiByteToWideChar_ichk(cp,flags,			\
> +		src,srclen,__builtin_object_size(src,0),	\
> +		dst,dstlen,__builtin_object_size(dst,0)		\
> +	)

I have a few other concerns here:
 * Why do we need a macro here? I thought it was so that 
   __builtin_object_size() could do its work, but the strcpy() functions 
   above in the patch have no associated macro and they call 
   __builtin_object_size() on their parameter which would seem to be 
   poinless. So I must be misunderstanding something here.
 * It's customary to add some extra parenthesing in such macros:
      (src),(srclen),__builtin_object_size((src),0),
 * The macro itself can cause trouble in some cases. In Winelib 
   code it can cause naming collisions with user functions (especially 
   with class methods, though it may not be very likely here), which 
   would especially be an issue with strcpy*(). Maybe it should be 
   protected by something like a WINE_NO_OVERFLOW_CHECK macro?
 * The macro can also cause trouble in case its parameters have 
   side-effects, like x++ or similar (though the __builtin_object_size() 
   mentions returning -1 in case or side-effects). This could impact 
   Wine too.


-- 
Francois Gouget <fgouget at free.fr>              http://fgouget.free.fr/
                      Computers are like airconditioners
                They stop working properly if you open WINDOWS

More information about the wine-devel mailing list