Skip to content

Fix stack buffer overflow in String::getBytes() test #193

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Aug 1, 2023
Merged

Fix stack buffer overflow in String::getBytes() test #193

merged 2 commits into from
Aug 1, 2023
+4 −3

Conversation

tttapa
Copy link
Contributor

@tttapa tttapa commented Jul 31, 2023

  • Fixes a stack buffer overflow in the [String-getBytes-02] test.
  • Fixes the concatenation of the CMAKE_{C,CXX}_FLAGS variable in test/CMakeLists.txt (string concatenation instead of list concatenation).

This was caught by the GCC sanitizers. It might be a good idea to run the tests with -fsanitize=address,undefined in the CI (in addition to Valgrind) to catch these kinds of bugs early.

@CLAassistant
Copy link

CLAassistant commented Jul 31, 2023
edited
Loading

CLA assistant check
All committers have signed the CLA.

@codecov-commenter
Copy link

Codecov Report

Patch and project coverage have no change.

Comparison is base (5b9faf6) 95.77% compared to head (363c2c4) 95.77%.

Additional details and impacted files 
@@           Coverage Diff           @@
##           master     #193   +/-   ##
=======================================
  Coverage   95.77%   95.77%           
=======================================
  Files          13       13           
  Lines         970      970           
=======================================
  Hits          929      929           
  Misses         41       41

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@per1234 per1234 added the bug label Jul 31, 2023
aentinger
aentinger approved these changes Aug 1, 2023
View reviewed changes
Copy link
Contributor

@aentinger aentinger left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍 Thanks for catching this @tttapa

@aentinger aentinger merged commit 84b98c7 into arduino:master Aug 1, 2023
@aentinger
Copy link
Contributor

This was caught by the GCC sanitizers. It might be a good idea to run the tests with -fsanitize=address,undefined in the CI (in addition to Valgrind) to catch these kinds of bugs early.

@tttapa care to send another PR adding -fsanitize=address,undefined to CMakelists.txt? (I could do it, but for bragging rights ;) )

@tttapa
Copy link
Contributor Author

tttapa commented Aug 6, 2023

I appreciate the offer of bragging rights :) but I'm afraid I don't have the time right now.
Since you can't have the sanitizers enabled when running under valgrind, this would be a nontrivial change to https://github.com/arduino/cpp-test-action (you'd need one build with sanitizers, and one without for valgrind).

@aentinger aentinger mentioned this pull request Aug 7, 2023
Open
3 tasks
@aentinger
Copy link
Contributor

Hi @tttapa ☕ 👋

I've created a feature request for arduino/cpp-test-action. Once the action incorporates that feature we could just use the action twice in our unit-test.yml, to once run with valgrind and once without it (but with sanitizing enabled). What do you think?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aentinger aentinger

Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@tttapa @CLAassistant @codecov-commenter @aentinger @per1234