OTP-8451 Harmless buffer overflow by one byte in asn1 and ram_file_drv.

4 files changed, 53 insertions, 34 deletions

diff --git a/erts/emulator/beam/erl_binary.h b/erts/emulator/beam/erl_binary.h
index 21d4e3fdfd..1f948a9684 100644
--- a/erts/emulator/beam/erl_binary.h
+++ b/erts/emulator/beam/erl_binary.h
@@ -195,10 +195,20 @@ erts_free_aligned_binary_bytes(byte* buf)
     }
 }
 
+/* Explicit extra bytes allocated to counter buggy drivers.
+** These extra bytes where earlier (< R13B04) added by an alignment-bug
+** in this code. Do we dare remove this in some major release (R14?) maybe?
+*/
+#ifdef DEBUG
+#  define CHICKEN_PAD 0
+#else
+#  define CHICKEN_PAD (sizeof(void*) - 1)
+#endif
+
 ERTS_GLB_INLINE Binary *
 erts_bin_drv_alloc_fnf(Uint size)
 {
-    Uint bsize = ERTS_SIZEOF_Binary(size);
+    Uint bsize = ERTS_SIZEOF_Binary(size) + CHICKEN_PAD;
     void *res;
     res = erts_alloc_fnf(ERTS_ALC_T_DRV_BINARY, bsize);
     ERTS_CHK_BIN_ALIGNMENT(res);
@@ -208,7 +218,7 @@ erts_bin_drv_alloc_fnf(Uint size)
 ERTS_GLB_INLINE Binary *
 erts_bin_drv_alloc(Uint size)
 {
-    Uint bsize = ERTS_SIZEOF_Binary(size);
+    Uint bsize = ERTS_SIZEOF_Binary(size) + CHICKEN_PAD;
     void *res;
     res = erts_alloc(ERTS_ALC_T_DRV_BINARY, bsize);
     ERTS_CHK_BIN_ALIGNMENT(res);
@@ -219,7 +229,7 @@ erts_bin_drv_alloc(Uint size)
 ERTS_GLB_INLINE Binary *
 erts_bin_nrml_alloc(Uint size)
 {
-    Uint bsize = ERTS_SIZEOF_Binary(size);
+    Uint bsize = ERTS_SIZEOF_Binary(size) + CHICKEN_PAD;
     void *res;
     res = erts_alloc(ERTS_ALC_T_BINARY, bsize);
     ERTS_CHK_BIN_ALIGNMENT(res);
@@ -230,7 +240,7 @@ ERTS_GLB_INLINE Binary *
 erts_bin_realloc_fnf(Binary *bp, Uint size)
 {
     Binary *nbp;
-    Uint bsize = ERTS_SIZEOF_Binary(size);
+    Uint bsize = ERTS_SIZEOF_Binary(size) + CHICKEN_PAD;
     ASSERT((bp->flags & BIN_FLAG_MAGIC) == 0);
     if (bp->flags & BIN_FLAG_DRV)
 	nbp = erts_realloc_fnf(ERTS_ALC_T_DRV_BINARY, (void *) bp, bsize);
@@ -244,7 +254,7 @@ ERTS_GLB_INLINE Binary *
 erts_bin_realloc(Binary *bp, Uint size)
 {
     Binary *nbp;
-    Uint bsize = ERTS_SIZEOF_Binary(size);
+    Uint bsize = ERTS_SIZEOF_Binary(size) + CHICKEN_PAD;
     ASSERT((bp->flags & BIN_FLAG_MAGIC) == 0);
     if (bp->flags & BIN_FLAG_DRV)
 	nbp = erts_realloc_fnf(ERTS_ALC_T_DRV_BINARY, (void *) bp, bsize);
diff --git a/erts/emulator/drivers/common/ram_file_drv.c b/erts/emulator/drivers/common/ram_file_drv.c
index 2e3aeb981e..4a39a156e6 100644
--- a/erts/emulator/drivers/common/ram_file_drv.c
+++ b/erts/emulator/drivers/common/ram_file_drv.c
@@ -1,19 +1,19 @@
 /*
  * %CopyrightBegin%
- * 
- * Copyright Ericsson AB 1997-2009. All Rights Reserved.
- * 
+ *
+ * Copyright Ericsson AB 1997-2010. All Rights Reserved.
+ *
  * The contents of this file are subject to the Erlang Public License,
  * Version 1.1, (the "License"); you may not use this file except in
  * compliance with the License. You should have received a copy of the
  * Erlang Public License along with this software. If not, it can be
  * retrieved online at http://www.erlang.org/.
- * 
+ *
  * Software distributed under the License is distributed on an "AS IS"
  * basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
  * the License for the specific language governing rights and limitations
  * under the License.
- * 
+ *
  * %CopyrightEnd%
  */
 /*
@@ -388,7 +388,7 @@ static int ram_file_uuencode(RamFile *f)
 {
     int code_len = UULINE(UNIX_LINE);
     int len = f->end;
-    int usize = (len*4+2)/3 + 2*(len/code_len+1) + 2 + 1;
+    int usize = 4*((len+2)/3) + 2*((len+code_len-1)/code_len) + 2;    
     ErlDrvBinary* bin;
     uchar* inp;
     uchar* outp;
@@ -433,7 +433,7 @@ static int ram_file_uuencode(RamFile *f)
     *outp++ = ' ';   /* this end of file 0 length !!! */
     *outp++ = '\n';
     count += 2;
-
+    ASSERT(count == usize);
     driver_free_binary(f->bin);
     ram_file_set(f, bin, usize, count);
     return numeric_reply(f, count);
diff --git a/lib/asn1/c_src/asn1_erl_driver.c b/lib/asn1/c_src/asn1_erl_driver.c
index cd2e63a363..fd284e5800 100644
--- a/lib/asn1/c_src/asn1_erl_driver.c
+++ b/lib/asn1/c_src/asn1_erl_driver.c
@@ -1,19 +1,19 @@
 /*
  * %CopyrightBegin%
- * 
- * Copyright Ericsson AB 2002-2009. All Rights Reserved.
- * 
+ *
+ * Copyright Ericsson AB 2002-2010. All Rights Reserved.
+ *
  * The contents of this file are subject to the Erlang Public License,
  * Version 1.1, (the "License"); you may not use this file except in
  * compliance with the License. You should have received a copy of the
  * Erlang Public License along with this software. If not, it can be
  * retrieved online at http://www.erlang.org/.
- * 
+ *
  * Software distributed under the License is distributed on an "AS IS"
  * basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
  * the License for the specific language governing rights and limitations
  * under the License.
- * 
+ *
  * %CopyrightEnd%
  *
  */
@@ -206,7 +206,11 @@ int asn1_drv_control(ErlDrvData   handle,
   set_port_control_flags(a_data->port, PORT_CONTROL_FLAG_BINARY);
 
   if (command == ASN1_COMPLETE)
-    { /* Do the PER complete encode step */
+    { 
+      if (buf_len==0) {
+	  return 0; /* Avoid binary buffer overwrite (OTP-8451) */
+      }
+      /* Do the PER complete encode step */
       if ((drv_binary = driver_alloc_binary(buf_len))==NULL) {
 	/* error handling */
 	set_port_control_flags(a_data->port, 0);
diff --git a/lib/kernel/test/ram_file_SUITE.erl b/lib/kernel/test/ram_file_SUITE.erl
index 55c9497670..798a37d3dc 100644
--- a/lib/kernel/test/ram_file_SUITE.erl
+++ b/lib/kernel/test/ram_file_SUITE.erl
@@ -1,19 +1,19 @@
 %%
 %% %CopyrightBegin%
-%% 
-%% Copyright Ericsson AB 2001-2009. All Rights Reserved.
-%% 
+%%
+%% Copyright Ericsson AB 2001-2010. All Rights Reserved.
+%%
 %% The contents of this file are subject to the Erlang Public License,
 %% Version 1.1, (the "License"); you may not use this file except in
 %% compliance with the License. You should have received a copy of the
 %% Erlang Public License along with this software. If not, it can be
 %% retrieved online at http://www.erlang.org/.
-%% 
+%%
 %% Software distributed under the License is distributed on an "AS IS"
 %% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
 %% the License for the specific language governing rights and limitations
 %% under the License.
-%% 
+%%
 %% %CopyrightEnd%
 %%
 
@@ -472,20 +472,25 @@ uuencode(Config) when is_list(Config) ->
     %%
     %% Uuencode and decode test
     %%
-    ?line {ok, 0}        = ?FILE_MODULE:position(FdReal, bof),
-    ?line {ok, 0}        = ?FILE_MODULE:position(Fd, bof),
-    ?line ok             = ?FILE_MODULE:truncate(Fd),
-    ?line {ok, Sz}       = ?FILE_MODULE:copy(FdReal, Fd),
-    ?line {ok, SzUu}     = ?RAM_FILE_MODULE:uuencode(Fd),
-    ?line true           = (Sz =< SzUu),
-    ?line {ok, Sz  }     = ?RAM_FILE_MODULE:uudecode(Fd),
-    ?line {ok, 0}        = ?FILE_MODULE:position(FdReal, bof),
-    ?line {ok, 0}        = ?FILE_MODULE:position(Fd, bof),
-    ?line true           = compare(FdReal, Fd),
-    %%
+    F = fun(Offs) ->
+		Size = Sz - Offs,
+		?line {ok, Offs}     = ?FILE_MODULE:position(FdReal, {bof,Offs}),
+		?line {ok, 0}        = ?FILE_MODULE:position(Fd, bof),
+		?line ok             = ?FILE_MODULE:truncate(Fd),
+		?line {ok, Size}     = ?FILE_MODULE:copy(FdReal, Fd),
+		?line {ok, SizeUu}   = ?RAM_FILE_MODULE:uuencode(Fd),
+		?line true           = (Size =< SizeUu),
+		?line {ok, Size}     = ?RAM_FILE_MODULE:uudecode(Fd),
+		?line {ok, Offs}     = ?FILE_MODULE:position(FdReal, {bof,Offs}),
+		?line {ok, 0}        = ?FILE_MODULE:position(Fd, bof),
+		?line true           = compare(FdReal, Fd)
+	end,
+    lists:foreach(F, lists:seq(0,Sz-1, 43)),
+
     ?line ok             = ?FILE_MODULE:close(FdReal),
     ?line ok             = ?FILE_MODULE:close(Fd),
     ?line ok             = ?FILE_MODULE:close(FdRealUu),
+    %%
     ok.