branch-1_4 allow cross-compiles; expose buffer overrun

[Eric Blake]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This patch makes it easier to cross-compile (so I can test that my recent
gnulib changes make compilation on mingw possible), and makes it easier to
configure whether ecvt should be used by caching the test results.  With
the patch below in place:

$ M4_cv_have_efgcvt=no configure
$ make
...
$ echo 'format(%300d,1)'|src/m4
Segmentation fault (core dumped)

My analysis of format.c is as follows:

when HAVE_EFGCVT is defined, there is no buffer overflow.  However, the
three functions [efg]cvt have been declared obsolete by POSIX, replaced by
sprintf, so we probably should not be relying on them.  Besides, there is
an open bug on savannah complaining that format does not match printf,
probably due to the fact that we are using fcvt and massaging the output
ourself: https://savannah.gnu.org/support/?func=detailitem&item_id=104303

when HAVE_EFGCVT is not defined, we are using a 256-byte buffer to hold an
unlimited length string from sprintf.  Classic buffer overflow, allowing
arbitrary code execution.  I don't know how likely this is to be exploited
in the wild, since most machines these days have ecvt, but it absolutely
must be fixed before 1.4.5.

I think the best course of action here would be to rewrite format.c to use
a single approach, using xasprintf from gnulib so we don't have buffer
overflows, and avoiding ecvt.  I'm also looking at coreutils' printf.c for
inspiration on how printf(1) parses format strings and arguments in a safe
manner.  For 1.4.5, all we need to fix is the buffer overflow.  But for
2.0, we can probably do other things like adding support for additional
format characters, supporting [u]intmax_t rather than limiting ourselves
to long, etc.

2006-06-29  Eric Blake  <address@hidden>

        * configure.ac (AC_CANONICAL_HOST, AC_CANONICAL_BUILD): Allow
        cross-compilation.
        (AC_CACHE_CHECK): Cache search for ecvt.

- --
Life is short - so eat dessert first!

Eric Blake             address@hidden
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.1 (Cygwin)
Comment: Public key at home.comcast.net/~ericblake/eblake.gpg
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEo9db84KuGfSFAYARAsENAJ45GfXTGM5M1vTGBXh/TT1FGGS6WgCfSel2
huU6GegFlTdGanUhogv2xu4=
=MKQ3
-----END PGP SIGNATURE-----

Index: configure.ac
===================================================================
RCS file: /sources/m4/m4/configure.ac,v
retrieving revision 1.36.2.17
diff -u -p -r1.36.2.17 configure.ac
--- configure.ac        24 Jun 2006 22:53:35 -0000      1.36.2.17
+++ configure.ac        29 Jun 2006 13:13:02 -0000
@@ -29,6 +29,8 @@ m4_pattern_allow([^M4_cv_])
 AC_CONFIG_SRCDIR([src/m4.h])
 AC_CONFIG_HEADERS([config.h:config-h.in])
 
+AC_CANONICAL_BUILD
+AC_CANONICAL_HOST
 AC_PROG_CC
 M4_EARLY
 
@@ -50,14 +52,16 @@ AC_CHECK_FUNCS_ONCE([sigaction sigaltsta
 
 M4_INIT
 
-AC_MSG_CHECKING([ecvt declaration])
-AC_EGREP_HEADER([ecvt], [stdlib.h],
-  [AC_MSG_RESULT([yes])
-   AC_DEFINE([HAVE_EFGCVT], [2],
+AC_CACHE_CHECK([ecvt declaration], [M4_cv_have_efgcvt],
+[AC_EGREP_HEADER([ecvt], [stdlib.h],
+  [M4_cv_have_efgcvt=yes], [M4_cv_have_efgcvt=no])])
+if test $M4_cv_have_efgcvt = yes ; then
+  AC_DEFINE([HAVE_EFGCVT], [2],
      [Define to 1 if you have ecvt(3), fcvt(3) and gcvt(3).  Define to 2 if
 they are declared in stdlib.h])
-  ],
-  [AC_MSG_RESULT([no]); AC_CHECK_FUNCS([ecvt])])
+else
+  AC_CHECK_FUNCS([ecvt])
+fi
 
 
 # Code from Jim Avera <address@hidden>.