[Bug 229888] devel/boost-libs: Fix undefined behavior in boost::filesystem::copy

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Thu Jul 19 19:43:06 UTC 2018 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=229888

--- Comment #2 from Michael Gmelin <grembo at FreeBSD.org> ---
(In reply to Jan Beich from comment #1)

This is because I gave you the wrong example (wasn't focused whole doing this
and copy and pasted the wrong one), sorry. I came from 10.x, so not sure if
11.1 was affected as well.

This one does crash reliably here on 11.2 amd64:

int main()
{
  boost::filesystem::copy("/tmp/t.pdf", "/tmp/t2.pdf");
}

This one doesn't (the original one), as passing in ec prevents the nullptr
dereference

int main()
{
  boost::system::error_code ec;
  boost::filesystem::copy("/tmp/t.pdf", "/tmp/t2.pdf", ec);
}

Background is that copy has two signatures:

void copy(const path& from, const path& to)
{detail::copy(from, to);}
void copy(const path& from, const path& to, system::error_code& ec)
BOOST_NOEXCEPT 
{detail::copy(from, to, &ec);}

As you can see, the dirst version calls detail copy without ex, which means ec
is 0:

void detail::copy(const path& from, const path& to, system::error_code* ec=0);

The implementation of detail::copy then calls various functions that expect an
error_code reference (error_code&) by dereferencing a null pointer:

  void copy(const path& from, const path& to, system::error_code* ec)
  {
     file_status s(symlink_status(from, *ec)); // boom
     if (ec != 0 && *ec) return; // here it's checked, funny

     if(is_symlink(s))
     {
       copy_symlink(from, to, *ec); // boom
     }
     else if(is_directory(s))
     {
       copy_directory(from, to, *ec); // boom
     }
     else if(is_regular_file(s))
     {
      copy_file(from, to, fs::copy_option::fail_if_exists, *ec); // ouch
  ...

The patch replaces these calls to calls to the respective functions in the
detail namespace, which all take am error_code* as input, which is allowed to
be nullptr:


     file_status s(detail::symlink_status(from, ec));
     copy_symlink(from, to, ec);
     copy_directory(from, to, ec);
   ...

Hope this clarifies the issue.

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-office mailing list