[gnutls-devel] libtasn1 | Gcc 8 flags buffer violation while parsing tokens. Adding "-" seems to break the parser doing snprintf. (#6)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Tue Dec 18 03:38:09 CET 2018 

New Issue was created.

Issue 6: https://gitlab.com/gnutls/libtasn1/issues/6
Author:    Terry Jones
Assignee:  

## Description of problem:

Found a bug in the parser for Gnu libtasn1-4.9, they in the case of making the tokens and by that adding a "-" to the string go over the length of their buffer.  So the problem is using a sizeof on the buffer size and making the buffer too short.  Looks like two problems, this way the problem creeps as you grow the buffer to add room for the "-":

## Version of libtasn1 used:

Gnu 1-4.9

## Distributor of libtasn1 (e.g., Ubuntu, Fedora, RHEL)

Gnu source tarball.

## How reproducible:

Compile using Gcc 8 using -Werror=format-truncation

Steps to Reproduce:

 * one

Unpack tarball and run configure, please see attached config.status.

 * two

Make using those flags.

 * three

See Gcc flag the error as follows:

## Actual results:
GNU C17 (GCC) version 8.2.0 (x86_64-pc-linux-gnu)
	compiled by GNU C version 8.2.0, GMP version 6.1.2, MPFR version 4.0.1, MPC version 1.1.0, isl version none
GGC heuristics: --param ggc-min-expand=100 --param ggc-min-heapsize=131072
Compiler executable checksum: 81f798d4ff0871f00b0a4f3f1296b20a
ASN1.c: In function '_asn1_yyparse':
ASN1.y:164:47: error: 'snprintf' output may be truncated before the last format character [-Werror=format-truncation=]
                 | '-' NUM        {snprintf($$,sizeof($$),"-%s",$2);}
                                               ^~~~~
ASN1.y:164:6: note: 'snprintf' output between 2 and 66 bytes into a destination of size 65
                 | '-' NUM        {snprintf($$,sizeof($$),"-%s",$2);}
      ^          ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ASN1.y:152:47: error: 'snprintf' output may be truncated before the last format character [-Werror=format-truncation=]
 neg_num : '-' NUM     {snprintf($$,sizeof($$),"-%s",$2);}
                                               ^~~~~
ASN1.y:152:6: note: 'snprintf' output between 2 and 66 bytes into a destination of size 65
 neg_num : '-' NUM     {snprintf($$,sizeof($$),"-%s",$2);}
      ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~          
cc1: all warnings being treated as errors
Makefile:1112: recipe for target 'ASN1.lo' failed

Please see:

[config.status](/uploads/7cc9158451b4dbe2846fb9ebb6416fe7/config.status)

[gcc_v.txt](/uploads/5999709704b2c0635b697fd893c77e0e/gcc_v.txt)


## Expected results:

No warning or errors.

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/issues/6
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20181218/e70e880a/attachment-0001.html>

More information about the Gnutls-devel mailing list