Ticket #67 (closed defect: fixed)

Opened 5 months ago

Last modified 5 months ago

deftransform for replace is unsafe

Reported by: rtoy Owned by: somebody
Priority: major Milestone:
Component: Core Version: 2012-12
Keywords: Cc:

Description

Consider this function 

(defun bad (s)
  (declare (simple-string s))
  (replace s s :start2 100 :end2 105))

After compiling this, 

(bad (copy-seq "1234567890"))

Produces a totally bogus result, filling in the first 4 characters of the resulting string with garbage.

The problem is that the deftransform for replace just calls BIT-BASH-COPY without verifying that the start and end indices make sense for the given string. Note that it also doesn't check to see that end >= start, but this gets handled by BIT-BASH-COPY which gets a negative length and signals an error.

Change History

Changed 5 months ago by toy.raymond@…

  • status changed from new to closed
  • resolution set to fixed

commit 3be4fc215fa2a4d23dc145e6cfa9519492525bc1 Author: Raymond Toy <toy.raymond@…> Date: Sat Dec 22 12:46:45 2012 -0800

Fix ticket:67

Check that the start and end indices make sense for the given strings. This is important before we start bashing random parts of the string, potentially overwriting other objects.

Note: See TracTickets for help on using tickets.