Re: [Rd] sub( , perl = TRUE) overflow (PR#7479)

From: Prof Brian Ripley <ripley_at_stats.ox.ac.uk>
Date: Sat 08 Jan 2005 - 18:25:53 EST

On Sat, 8 Jan 2005 Robert.McGehee@geodecapital.com wrote:

> I'd like to report a bug (buffer overflow?) in the function sub(..., perl = TRUE)
>
> I wanted to implement the familiar perl function for removing white spaces before and after a character string:
> sub trimwhitespace($)
> {
> my $string = shift;
> $string =~ s/^\s+//;
> $string =~ s/\s+$//;
> return $string;
> }
>
> So in R this would (presumably) become:
>
> trimwhitespace <- function(x) {
> x <- sub('^\\s+', '', x, perl = TRUE) ## Removes preceding white spaces
> x <- sub('\\s+$', '', x, perl = TRUE) ## Removes trailing white spaces
> x
> }
>
> Expected behavior:
>> trimwhitespace(" abc")
> [1] "abc"
>
> On Windows:
>> trimwhitespace(" abc")
> [1] "abc\0\220\277\036\001\220견\08iW\001p긋\0X견\0" ## That's not good! Looks like a buffer overflow
>
> On Linux:
> [1] "abc\0\0\002\0\0 \377\0\0\0\002\0\0\0\006\0\0/\377\0\0" ## Linux goofs as well!
>
> Debugging shows that it is the first line in the function that produces
> the overflow. The overflow seems proportional to the about of preceding
> white spaces. I'm not sure if this is exploitable or not, but it might
> be possible to run arbitrary code stored in a character object using
> this.

Don't think so. It's actually just a printing issue: the length used for printing is marked incorrectly (as the length of the original string), and you won't be able to access the character string past the \0 in any other way.

I've fixed it now.

-- 
Brian D. Ripley,                  ripley@stats.ox.ac.uk
Professor of Applied Statistics,  http://www.stats.ox.ac.uk/~ripley/
University of Oxford,             Tel:  +44 1865 272861 (self)
1 South Parks Road,                     +44 1865 272866 (PA)
Oxford OX1 3TG, UK                Fax:  +44 1865 272595

______________________________________________ R-devel@stat.math.ethz.ch mailing list https://stat.ethz.ch/mailman/listinfo/r-devel

Received on Sat Jan 08 17:34:06 2005

This archive was generated by hypermail 2.1.8 : Sat 08 Jan 2005 - 18:17:14 EST