<table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Issue</th>
<td>
<a href=https://github.com/llvm/llvm-project/issues/67167>67167</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>
__kmp_env_blk_parse_unix() memory overwrite bug
</td>
</tr>
<tr>
<th>Labels</th>
<td>
new issue
</td>
</tr>
<tr>
<th>Assignees</th>
<td>
</td>
</tr>
<tr>
<th>Reporter</th>
<td>
crs23
</td>
</tr>
</table>
<pre>
__kmp_env_blk_parse_unix() uses KMP_MEMCPY_S() incorrectly. As a result it can both detect bogus errors and overwrite memory.
In the copy loop size never changes so on each iteration KMP_MEMCPY_S() gets a destination buffer that's (var - bulk) bytes past the end of the bulk buffer. Because of that and because KMP_MEMCPY_S() checks for buffer overlaps it's possible to detect an overlap that isn't real. Worse, KMP_MEMCPY_S() then fills (var - bulk) bytes past the end of bulk with zeroes.
The obvious fix is to have "size -= len + 1;" at the end of each iteration. If that somehow goes "negative" one hopes the RSIZE_MAX check will protect the code but the loop really should also be checking the result of KMP_MEMCPY_S().
</pre>
<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJyMk0tvpDgQxz-NuZSCwEBIHzgkk2kpWkUa7ay0jwuyocDeuF3IZejpfPoV0NFupJZ2LjzsevzqX1WK2Y4esRHVk6ieEzVHQ6HpAssi0dRfmrZ9O00t-qXV7q2dVGBsZ29_CPkg5AFmRoZfXr-1r19fv3z7s_1-Pbe-oxCwi-6SwiODgoA8uwg2Qqc8aIoGeozYRdA0zgwYAgUG5XugBcM52IhwwhOFSyqyZ5E97s8XD9EgdDRdwBFNwPYdweOCATqj_IgMTEAeUHUGbMSgoiV_i3LEuKL1yNH63UrPw4ABolFRyJpByIdFBbgDPbu31UdfIjJMiuPGgSvvsH2uFlf_FJ6wUzPjfqfiVpe-nt0g6Qx2bwwDhQ-CVQSnJga7g0zEbLVDiPQhnPIfVnsOy17IOkJA5VL4nQKjkF9upYsGPQzWuZ8ucCvubKOBdwyE_KknvxkE0oulmWGwP8DySmnUgiCk3Bp0J4pncOhByCfIRfEkpAT1KcXnfqXwcpWO6YSGzjASrrjS46iiXXCNQB7B0IS8Bfr1-8tfX9vXxz92PeFsnYMp0KbWPjX92qf9Z5ueVSt3ATY0ux6UYwKNu7v142Z3nVwabiiZJn1T9IfioBJs8vtDVWZFXZaJaepDqZU-YPZQllWhsNJ1qfNcFeq-z-pOJraRmSyyg5R5LQ9ZmVYPZZ5r7FVV5dVQd6LM8KSsS51bTimFMbHMMzb3dX5fJ05pdLwt7irJGbZLIeW6x6FZfe70PLIoM2c58r9Roo0O_2-x9837zyrqeUzm4BoT48SieBTyKORxtNHMOu3oJORxzXB93U2B_sYuCnncuFjI48b9TwAAAP__W-R6-A">