[Bug libc/4963] New: __wcsnlen+efence crash - sttob at mailshack dot com

public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed

From: "sttob at mailshack dot com" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sources.redhat.com
Subject: [Bug libc/4963] New: __wcsnlen+efence crash
Date: Mon, 27 Aug 2007 19:03:00 -0000	[thread overview]
Message-ID: <20070827190316.4963.sttob@mailshack.com> (raw)

>Description:
  The problem was spotted and confirmed on glibc-2.3.2 (i386, Slackware,
  Debian), and in glibc-2.6 by source inspection, and also in CVS via
  cvsweb.

  In glibc-2.6/wcsmbs/wcsnlen.c one can easily see that __wcsnlen() first
  accesses data, then checks if it's allowed to.  This invokes undefined
  behaviour when the character array is not zero-terminated.

  This bug is inherited by other library functions which call __wcsnlen(),
  eg. *printf() family.

  The bug makes it at least impossible to properly test programs
  with Electric Fence, but might be fatal in normal operation, too
  (end of process memory hit).

>How-To-Repeat:
    wchar_t *wcp = malloc(4 * sizeof *wcp);
    wcp[0] = 'a';  wcp[1] = 'b';
    wcp[2] = 'c';  wcp[3] = 'd';
    wcsnlen(wcp, 4);               /* CRASH */
    wprintf(L"wcp=%.4ls\n", wcp);  /* CRASH */

  Running:  LD_PRELOAD=./libefence.so ./a.out

>Fix:
  I don't dare to give a solution, maybe it should be enough to reverse
  the order of logical sub-expressions in `while' and `if' conditions, 
  like:
    if (++len, --maxlen == 0 || s[len] == L'\0' )

-- 
           Summary: __wcsnlen+efence crash
           Product: glibc
           Version: unspecified
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
        AssignedTo: drepper at redhat dot com
        ReportedBy: sttob at mailshack dot com
                CC: glibc-bugs at sources dot redhat dot com


http://sourceware.org/bugzilla/show_bug.cgi?id=4963

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

next             reply	other threads:[~2007-08-27 19:03 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-08-27 19:03 sttob at mailshack dot com [this message]
2007-09-23 18:28 ` [Bug libc/4963] " drepper at redhat dot com

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20070827190316.4963.sttob@mailshack.com \
    --to=sourceware-bugzilla@sourceware.org \
    --cc=glibc-bugs@sources.redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).