why can echo-2.i overflow?

Question

why can echo-2.i overflow?

Cglasses opened this issue 4 years ago · 2 comments

Its corresponding YML file states that the expected result of the no-overflow property is false.
I wonder under what circumstances will the program overflow?
echo-2.zip

Answer 1 · 2021-03-24T08:45:11.000Z

Link to file: echo-2.c

Answer 2 · 2021-03-24T08:51:35.000Z

Hi, from the blame log of the file @holznerst linked I see that I created it. In the commit message 97299d4 I mention issue #535, which contains a detailed description of the overflow.

tl;dr is that strlen(strerr) can lead to an integer close to INT_MAX, which is used in a signed integer addition to determine the length of the error message in bb_perror_msg, which will be the length of strerr plus some added stuff around that:

(unsigned long int)(applet_len + used + strerr_len + msgeol_len + 3) // overflow!