[valgrind-variant] r142 committed - cherry-pick upstream r13409 which fixes a stack buffer overflow on hug...

[valgrind...@googlecode.com]

Revision: 142
Author: konstantin....@gmail.com
Date: Mon May 27 06:45:47 2013
Log: cherry-pick upstream r13409 which fixes a stack buffer overflow
on huge TMPDIR
http://code.google.com/p/valgrind-variant/source/detail?r=142

Modified:
/trunk/valgrind/NEWS
/trunk/valgrind/coregrind/m_debuginfo/readpdb.c
/trunk/valgrind/coregrind/m_libcfile.c
/trunk/valgrind/coregrind/m_main.c
/trunk/valgrind/coregrind/pub_core_libcfile.h

=======================================
--- /trunk/valgrind/NEWS Thu Nov 22 04:55:39 2012
+++ /trunk/valgrind/NEWS Mon May 27 06:45:47 2013
@@ -403,6 +403,7 @@
(3.8.0-TEST3: 9 August 2012, vex r2465, valgrind r12865)
(3.8.0: 10 August 2012, vex r2465, valgrind r12866)

+320211 Stack buffer overflow in ./coregrind/m_main.c with huge TMPDIR


Release 3.7.0 (5 November 2011)
=======================================
--- /trunk/valgrind/coregrind/m_debuginfo/readpdb.c Thu Nov 22 04:55:39 2012
+++ /trunk/valgrind/coregrind/m_debuginfo/readpdb.c Mon May 27 06:45:47 2013
@@ -2407,7 +2407,7 @@
/* This is a giant kludge, of the kind "you did WTF?!?", but it
works. */
Bool do_cleanup = False;
- HChar tmpname[100], tmpnameroot[50];
+ HChar tmpname[VG_(mkstemp_fullname_bufsz)(50-1)], tmpnameroot[50];
Int fd, r;
HChar* res = NULL;

=======================================
--- /trunk/valgrind/coregrind/m_libcfile.c Thu Nov 22 04:55:39 2012
+++ /trunk/valgrind/coregrind/m_libcfile.c Mon May 27 06:45:47 2013
@@ -659,15 +659,27 @@

return tmpdir;
}
+
+static const HChar *mkstemp_format = "%s/valgrind_%s_%08x";
+
+SizeT VG_(mkstemp_fullname_bufsz) ( SizeT part_of_name_len )
+{
+ return VG_(strlen)(mkstemp_format)
+ + VG_(strlen)(VG_(tmpdir)()) - 2 // %s tmpdir
+ + part_of_name_len - 2 // %s part_of_name
+ + 8 - 4 // %08x
+ + 1; // trailing 0
+}
+

/* Create and open (-rw------) a tmp file name incorporating said arg.
Returns -1 on failure, else the fd of the file. If fullname is
non-NULL, the file's name is written into it. The number of bytes
- written is guaranteed not to exceed 64+strlen(part_of_name). */
+ written is equal to VG_(mkstemp_fullname_bufsz)(part_of_name). */

Int VG_(mkstemp) ( HChar* part_of_name, /*OUT*/HChar* fullname )
{
- HChar buf[200];
+ HChar buf[VG_(mkstemp_fullname_bufsz)(VG_(strlen)(part_of_name))];
Int n, tries, fd;
UInt seed;
SysRes sres;
=======================================
--- /trunk/valgrind/coregrind/m_main.c Thu Nov 22 04:55:39 2012
+++ /trunk/valgrind/coregrind/m_main.c Mon May 27 06:45:47 2013
@@ -1859,7 +1859,7 @@
VG_(cl_auxv_fd) = -1;
#else
if (!need_help) {
- HChar buf[50], buf2[50+64];
+ HChar buf[50], buf2[VG_(mkstemp_fullname_bufsz)(50-1)];
HChar nul[1];
Int fd, r;
const HChar* exename;
=======================================
--- /trunk/valgrind/coregrind/pub_core_libcfile.h Thu Nov 22 04:55:39 2012
+++ /trunk/valgrind/coregrind/pub_core_libcfile.h Mon May 27 06:45:47 2013
@@ -85,10 +85,14 @@
in terms of pread()?) */
extern SysRes VG_(pread) ( Int fd, void* buf, Int count, OffT offset );

+/* Size of fullname buffer needed for a call to VG_(mkstemp) with
+ part_of_name having the given part_of_name_len. */
+extern SizeT VG_(mkstemp_fullname_bufsz) ( SizeT part_of_name_len );
+
/* Create and open (-rw------) a tmp file name incorporating said arg.
Returns -1 on failure, else the fd of the file. If fullname is
non-NULL, the file's name is written into it. The number of bytes
- written is guaranteed not to exceed 64+strlen(part_of_name). */
+ written is equal to VG_(mkstemp_fullname_bufsz)(part_of_name). */
extern Int VG_(mkstemp) ( HChar* part_of_name, /*OUT*/HChar* fullname );

/* Record the process' working directory at startup. Is intended to