Buffer overrun bug in typeClassDefn() in type.c
Julian Seward
Julian_Seward@muraroa.demon.co.uk
Sun, 25 Feb 2001 00:58:58 +0000
Greetings, earthlings.
Implausible as it seems, I believe I've found a buffer overrun
in typeClassDefn() in type.c, in the latest (Feb 2001) Hugs.
The problem happens under normal operation -- loading the
Prelude is enough to make it happen.
The problem occurs in the loop beginning
for (; nonNull(mems); mems=tl(mems)) {
Lines 2233 through 2239 are intended to assign to buf the
value "default_" ++ textToStr(name(hd(mems)).text), so to
speak. Unfortunately they only do this correctly on the
first iteration of this loop, because i and j are set to
zero at the start of the function, whereas they should be
zeroed at the start of each trip round the loop. To show
that something is way wrong, try putting
printf("buf is `%s'\n", buf)
immediately after buf[i+j] = '\0'; and watch ever-longer
junk strings being printed out.
I propose adding simply
i = j = 0;
at line 2234. Hugs still seems to load the Prelude correctly,
and, in addition, the buf printouts now seem correct.
How could Hugs ever have worked with this bug?
* The size of buf, FILENAME_MAX, is quite large. This loop
processes default methods for classes; presumably you'd need
a class with a lot of default methods before buf got extended
beyond FILENAME_MAX ?
* The string generated into buf[] is hashed, and that hash value
is used, indirectly, as a unique name for the default method,
so it doesn't actually matter that the wrong-ish string has
been hashed.
J