Fix reflect robustness/clarity argv[i+1] in melt.c parser loop#1264
Fix reflect robustness/clarity argv[i+1] in melt.c parser loop#1264alor29 wants to merge 5 commits into
Conversation
There was a problem hiding this comment.
Pull request overview
This PR adjusts the melt CLI argument parsing loop to guard the inner “consume non-option args” loop with an i < argc bound check, aiming to prevent out-of-range argv access during command-line parsing.
Changes:
- Add
i < argcto the innerwhilecondition insrc/melt/melt.cto ensureargv[i]is only read wheniis within bounds.
| i++; | ||
|
|
||
| while (argv[i] != NULL && argv[i][0] != '-') { | ||
| while (i < argc && argv[i] != NULL && argv[i][0] != '-') { | ||
| if (store != NULL) |
…g on the NULL guarantee. from melt.c
|
The C standard (C99 §5.1.2.2.1) guarantees that The code is safe and idiomatic C — relying on the null terminator of |
|
Thanks for the clarification! I’ve updated the PR rationale to emphasize robustness and clarity rather than unsafe dereference. The code now explicitly checks bounds, which makes it easier to read and maintain. |
|
no, it does not IMO, and you are wasting my time by what appears to be trying to prove something to someone else. |
|
"Thank you for the detailed review and the C99 standard clarification, @ddennedy. Completely understand the preference for relying on the standard null terminator here. Glad to have dug into the codebase anyway—thanks for your time!" |
Summary
The parser loop in melt.c dereferences argv[i+1] without checking i+1 < argc. This can lead to out‑of‑bounds access when parsing command‑line arguments, resulting in undefined behavior or potential crashes.
Steps to Reproduce
#include <stdio.h>
#include <string.h>
int main(int argc, char *argv[]) {
int i = 1;
while (argv[i+1] && strchr(argv[i+1], '=')) {
printf("Parsing: %s\n", argv[++i]);
}
return 0;
} then --> gcc -g -fsanitize=address,undefined -o poc_bug poc_bug.c
3.Inspect with GDB :
gdb ./poc_bug
break poc_bug.c:9
run -consumer key=value another=thing
print argv[i+1]
Evidence
Impact :
This bug can cause undefined behavior or crashes when parsing crafted arguments. It is a potential memory safety issue.
Fix :
Added a bounds check to the loop condition :
while (i < argc && argv[i] != NULL && argv[i][0] != '-') {
if (store != NULL)
fprintf(store, "%s\n", argv[i]);
i += 1;
}
Notes :
Happy to be able to help in this project .