[Bug 1559] New: Buffer Overrun in mon-editor.c

bugzilla-daemon at rtems.org bugzilla-daemon at rtems.org
Mon Jun 14 16:11:47 UTC 2010


https://www.rtems.org/bugzilla/show_bug.cgi?id=1559

           Summary: Buffer Overrun in mon-editor.c
           Product: RTEMS
           Version: 4.10
          Platform: All
        OS/Version: RTEMS
            Status: NEW
          Severity: normal
          Priority: P3
         Component: misc
        AssignedTo: chrisj at rtems.org
        ReportedBy: joel.sherrill at oarcorp.com


Coverity CID 16 reports that there is a buffer overrun.  The details are below.




===========================

At conditional (15): "default" taking true path

422                default:

At conditional (16): "pos < 74" taking true path
At conditional (17): "c >= 32" taking true path
At conditional (18): "c <= 122" taking true path

423                  if ((pos < (RTEMS_COMMAND_BUFFER_SIZE - 1)) &&
424                      (c >= ' ') && (c <= 'z'))
425                  {
426                    int end;
427                    end = strlen (buffer);

At conditional (19): "pos < end" taking true path
At conditional (20): "end < 75" taking true path

428                    if ((pos < end) && (end < RTEMS_COMMAND_BUFFER_SIZE))
429                    {
430                      int ch, bs;

Event assignment: Assigning "(end + 1)" to "ch"
Also see events: [overrun-local]
At conditional (21): "ch > pos" taking true path

431                      for (ch = end + 1; ch > pos; ch--)

Event overrun-local: Overrun of static array "buffer" of size 75 at position 75
with index variable "ch"
Also see events: [assignment]

432                        buffer[ch] = buffer[ch - 1];

-- 
Configure bugmail: https://www.rtems.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.



More information about the bugs mailing list