From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <glibc-bugs-return-4263-listarch-glibc-bugs=sources.redhat.com@sourceware.org>
Received: (qmail 14410 invoked by alias); 14 Mar 2006 15:23:37 -0000
Received: (qmail 14401 invoked by uid 48); 14 Mar 2006 15:23:35 -0000
Date: Tue, 14 Mar 2006 15:23:00 -0000
Message-ID: <20060314152335.14400.qmail@sourceware.org>
From: "jakub at redhat dot com" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sources.redhat.com
In-Reply-To: <20060314145801.2459.richard@ex-parrot.com>
References: <20060314145801.2459.richard@ex-parrot.com>
Reply-To: sourceware-bugzilla@sourceware.org
Subject: [Bug libc/2459] Use of uninitialised variable in fnmatch when matching long strings
X-Bugzilla-Reason: CC
Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Subscribe: <mailto:glibc-bugs-subscribe@sourceware.org>
List-Post: <mailto:glibc-bugs@sourceware.org>
List-Help: <mailto:glibc-bugs-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: glibc-bugs-owner@sourceware.org
X-SW-Source: 2006-03/txt/msg00080.txt.bz2
List-Id: <glibc-bugs.sourceware.org>


------- Additional Comments From jakub at redhat dot com  2006-03-14 15:23 -------
glibc-2_3-branch has:
#ifdef _LIBC
      n = strnlen (string, 1024);
#else
      n = strlen (string);
#endif
      p = string;
      if (__builtin_expect (n < 1024, 1))
        {
          wstring = (wchar_t *) alloca ((n + 1) * sizeof (wchar_t));
          n = mbsrtowcs (wstring, &p, n + 1, &ps);
          if (__builtin_expect (n == (size_t) -1, 0))
            /* Something wrong.
               XXX Do we have to set `errno' to something which mbsrtows hasn't
               already done?  */
            return -1;
          if (p)
            memset (&ps, '\0', sizeof (ps));
        }
      if (__builtin_expect (p != NULL, 0))
        {
          n = mbsrtowcs (NULL, &string, 0, &ps);
          if (__builtin_expect (n == (size_t) -1, 0))
            /* Something wrong.
               XXX Do we have to set `errno' to something which mbsrtows hasn't
               already done?  */
            return -1;
          wstring = (wchar_t *) alloca ((n + 1) * sizeof (wchar_t));
          assert (mbsinit (&ps));
          (void) mbsrtowcs (wstring, &string, n + 1, &ps);
        }

      return internal_fnwmatch (wpattern, wstring, wstring + n,
                                flags & FNM_PERIOD, flags);

No try_singlebyte label and I don't see how can wstring end up being
uninitialized (well, GCC will warn, but that's GCC deficiency).

-- 


http://sourceware.org/bugzilla/show_bug.cgi?id=2459

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.