| commit | 86d77719693861fc8fa9c584dee36adaac5f883a | |
| author | Yifeng Li <tomli@tomli.me> | |
| Tue, 25 Apr 2023 21:41:01 +0000 (25 21:41 +0000) | ||
| committer | Yifeng Li <tomli@tomli.me> | |
| Tue, 25 Apr 2023 21:58:23 +0000 (25 21:58 +0000) | ||
| tree | a2ff857d8d1ec3eb9697b53715de691c3f46c7d6 | treesnapshot (tar.gz zip) |
| parent | 6f6c04e8b25497851f6a5979a6e96023fffe22df | commitdiff |
[cctools] fix ar(1) crash without argument, closes #7.
In ar(1), strcmp() checks are used to determine the value
of argument argv[1], even when no argument is given. In the
past, they were possibly harmless out-of-bound reads and
comparison with garbage, without consequences.
However, running it on macOS 13 w/ Apple Silicon immediately
crashes it with Segmentation Fault, because argv[1] is now
NULL and generates EXC_BAD_ACCESS in strcmp().
This commit checks whether argc is equal or greater than 2
before doing strcmp().
$ ./bin/ar
Segmentation fault: 11
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
frame #0: 0x0000000193181460 libsystem_platform.dylib`_platform_strcmp + 144
libsystem_platform.dylib`:
-> 0x193181460 <+144>: ldr q0, [x0], #0x10
0x193181464 <+148>: ldr q1, [x1], #0x10
0x193181468 <+152>: cmeq.16b v1, v0, v1
0x19318146c <+156>: and.16b v0, v0, v1
Target 0: (ar) stopped.
(lldb) bt
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
* frame #0: 0x0000000193181460 libsystem_platform.dylib`_platform_strcmp + 144
frame #1: 0x0000000100006440 ar`main(argc=1, argv=0x000000016fdfef58) at ar.c:126:8
frame #2: 0x0000000192e2be50 dyld`start + 2544
Signed-off-by: Yifeng Li <tomli@tomli.me>
In ar(1), strcmp() checks are used to determine the value
of argument argv[1], even when no argument is given. In the
past, they were possibly harmless out-of-bound reads and
comparison with garbage, without consequences.
However, running it on macOS 13 w/ Apple Silicon immediately
crashes it with Segmentation Fault, because argv[1] is now
NULL and generates EXC_BAD_ACCESS in strcmp().
This commit checks whether argc is equal or greater than 2
before doing strcmp().
$ ./bin/ar
Segmentation fault: 11
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
frame #0: 0x0000000193181460 libsystem_platform.dylib`_platform_strcmp + 144
libsystem_platform.dylib`:
-> 0x193181460 <+144>: ldr q0, [x0], #0x10
0x193181464 <+148>: ldr q1, [x1], #0x10
0x193181468 <+152>: cmeq.16b v1, v0, v1
0x19318146c <+156>: and.16b v0, v0, v1
Target 0: (ar) stopped.
(lldb) bt
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
* frame #0: 0x0000000193181460 libsystem_platform.dylib`_platform_strcmp + 144
frame #1: 0x0000000100006440 ar`main(argc=1, argv=0x000000016fdfef58) at ar.c:126:8
frame #2: 0x0000000192e2be50 dyld`start + 2544
Signed-off-by: Yifeng Li <tomli@tomli.me>
| cctools/ar/ar.c | diffblobblamehistory |