public inbox for glibc-bugs@sourceware.org help / color / mirror / Atom feed
From: "sttob at mailshack dot com" <sourceware-bugzilla@sourceware.org> To: glibc-bugs@sources.redhat.com Subject: [Bug libc/4963] New: __wcsnlen+efence crash Date: Mon, 27 Aug 2007 19:03:00 -0000 [thread overview] Message-ID: <20070827190316.4963.sttob@mailshack.com> (raw) >Description: The problem was spotted and confirmed on glibc-2.3.2 (i386, Slackware, Debian), and in glibc-2.6 by source inspection, and also in CVS via cvsweb. In glibc-2.6/wcsmbs/wcsnlen.c one can easily see that __wcsnlen() first accesses data, then checks if it's allowed to. This invokes undefined behaviour when the character array is not zero-terminated. This bug is inherited by other library functions which call __wcsnlen(), eg. *printf() family. The bug makes it at least impossible to properly test programs with Electric Fence, but might be fatal in normal operation, too (end of process memory hit). >How-To-Repeat: wchar_t *wcp = malloc(4 * sizeof *wcp); wcp[0] = 'a'; wcp[1] = 'b'; wcp[2] = 'c'; wcp[3] = 'd'; wcsnlen(wcp, 4); /* CRASH */ wprintf(L"wcp=%.4ls\n", wcp); /* CRASH */ Running: LD_PRELOAD=./libefence.so ./a.out >Fix: I don't dare to give a solution, maybe it should be enough to reverse the order of logical sub-expressions in `while' and `if' conditions, like: if (++len, --maxlen == 0 || s[len] == L'\0' ) -- Summary: __wcsnlen+efence crash Product: glibc Version: unspecified Status: NEW Severity: normal Priority: P2 Component: libc AssignedTo: drepper at redhat dot com ReportedBy: sttob at mailshack dot com CC: glibc-bugs at sources dot redhat dot com http://sourceware.org/bugzilla/show_bug.cgi?id=4963 ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
next reply other threads:[~2007-08-27 19:03 UTC|newest] Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top 2007-08-27 19:03 sttob at mailshack dot com [this message] 2007-09-23 18:28 ` [Bug libc/4963] " drepper at redhat dot com
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20070827190316.4963.sttob@mailshack.com \ --to=sourceware-bugzilla@sourceware.org \ --cc=glibc-bugs@sources.redhat.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).