public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug libc/4963] New: __wcsnlen+efence crash
@ 2007-08-27 19:03 sttob at mailshack dot com
2007-09-23 18:28 ` [Bug libc/4963] " drepper at redhat dot com
0 siblings, 1 reply; 2+ messages in thread
From: sttob at mailshack dot com @ 2007-08-27 19:03 UTC (permalink / raw)
To: glibc-bugs
>Description:
The problem was spotted and confirmed on glibc-2.3.2 (i386, Slackware,
Debian), and in glibc-2.6 by source inspection, and also in CVS via
cvsweb.
In glibc-2.6/wcsmbs/wcsnlen.c one can easily see that __wcsnlen() first
accesses data, then checks if it's allowed to. This invokes undefined
behaviour when the character array is not zero-terminated.
This bug is inherited by other library functions which call __wcsnlen(),
eg. *printf() family.
The bug makes it at least impossible to properly test programs
with Electric Fence, but might be fatal in normal operation, too
(end of process memory hit).
>How-To-Repeat:
wchar_t *wcp = malloc(4 * sizeof *wcp);
wcp[0] = 'a'; wcp[1] = 'b';
wcp[2] = 'c'; wcp[3] = 'd';
wcsnlen(wcp, 4); /* CRASH */
wprintf(L"wcp=%.4ls\n", wcp); /* CRASH */
Running: LD_PRELOAD=./libefence.so ./a.out
>Fix:
I don't dare to give a solution, maybe it should be enough to reverse
the order of logical sub-expressions in `while' and `if' conditions,
like:
if (++len, --maxlen == 0 || s[len] == L'\0' )
--
Summary: __wcsnlen+efence crash
Product: glibc
Version: unspecified
Status: NEW
Severity: normal
Priority: P2
Component: libc
AssignedTo: drepper at redhat dot com
ReportedBy: sttob at mailshack dot com
CC: glibc-bugs at sources dot redhat dot com
http://sourceware.org/bugzilla/show_bug.cgi?id=4963
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
^ permalink raw reply [flat|nested] 2+ messages in thread
* [Bug libc/4963] __wcsnlen+efence crash
2007-08-27 19:03 [Bug libc/4963] New: __wcsnlen+efence crash sttob at mailshack dot com
@ 2007-09-23 18:28 ` drepper at redhat dot com
0 siblings, 0 replies; 2+ messages in thread
From: drepper at redhat dot com @ 2007-09-23 18:28 UTC (permalink / raw)
To: glibc-bugs
------- Additional Comments From drepper at redhat dot com 2007-09-23 18:28 -------
Fixed in cvs.
--
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED
http://sourceware.org/bugzilla/show_bug.cgi?id=4963
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2007-09-23 18:28 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2007-08-27 19:03 [Bug libc/4963] New: __wcsnlen+efence crash sttob at mailshack dot com
2007-09-23 18:28 ` [Bug libc/4963] " drepper at redhat dot com
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).