[Bug libc/10818] New: printf("%s\n", NULL) segfaults

[Bug libc/10818] New: printf("%s\n", NULL) segfaults

[kir at sacred dot ru]

[kir@kir ~]$ cat null.c 
#include <stdio.h>

int main(void) {
	fprintf(stdout, "%s\n", NULL);
	printf("%s%s\n", NULL, NULL);
	printf("%s", NULL);
	printf("\n-newline-\n");
	printf("%s\n", NULL);
	return 0;
}
[kir@kir ~]$ gcc null.c
[kir@kir ~]$ ./a.out 
(null)
(null)(null)
(null)
-newline-
Segmentation fault

Note that only printf with "%s\n" segfaults, while others are fine.

This is because 
(1) call to printf("%s\n", str) is optimized to puts(str)
(2) puts(str) calls strlen(str)
(3) strlen(NULL) segfaults

System info:

$ rpm -q fedora-release gcc glibc
fedora-release-10-1.noarch
gcc-4.3.2-7.x86_64
glibc-2.9-3.i686
glibc-2.9-3.x86_64

PS
I discovered this bug when trying to do something like this:

	/* This should return NULL -- buflen is not big enough */
	printf("%s\n", inet_ntop(AF_INET, &in, buf, 2);

and got SIGSEGV instead of (null) being printed.

-- 
           Summary: printf("%s\n", NULL) segfaults
           Product: glibc
           Version: 2.9
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
        AssignedTo: drepper at redhat dot com
        ReportedBy: kir at sacred dot ru
                CC: glibc-bugs at sources dot redhat dot com


http://sourceware.org/bugzilla/show_bug.cgi?id=10818

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/10818] printf("%s\n", NULL) segfaults

[kir at sacred dot ru]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 719 bytes --]


------- Additional Comments From kir at sacred dot ru  2009-10-21 07:45 -------
Relevant GCC bug:
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=15685

Relevant portion of glibc doc [1]:
> If you accidentally pass a null pointer as the argument for a ‘%s’
> conversion, the GNU library prints it as ‘(null)’. We think this
> is more useful than crashing. But it's not good practice to pass
> a null argument intentionally. 

[1]
http://www.gnu.org/software/libc/manual/html_node/Other-Output-Conversions.html#Other-Output-Conversions

-- 


http://sourceware.org/bugzilla/show_bug.cgi?id=10818

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/10818] printf("%s\n", NULL) segfaults

[kir at sacred dot ru]

------- Additional Comments From kir at sacred dot ru  2009-10-21 10:45 -------
Yet one more relevant bug to gcc:
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=25609

>From my perspective the best thing to do is to let puts with NULL argument to
print "(null)\n", just for the consistency with printf's behavior, and with a
"side effect" of fixing this bug (caused by gcc optimization, but nevertheless).

-- 


http://sourceware.org/bugzilla/show_bug.cgi?id=10818

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/10818] printf("%s\n", NULL) segfaults

[jakub at redhat dot com]

------- Additional Comments From jakub at redhat dot com  2009-10-21 10:48 -------
You don't understand.  The bug is in our code, not in glibc.

-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |INVALID


http://sourceware.org/bugzilla/show_bug.cgi?id=10818

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/10818] printf("%s\n", NULL) segfaults

[kir at sacred dot ru]

------- Additional Comments From kir at sacred dot ru  2009-10-21 10:53 -------
OK, basically this is a dup of bug #5618, let's mark it as such...

-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
         Resolution|INVALID                     |


http://sourceware.org/bugzilla/show_bug.cgi?id=10818

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/10818] printf("%s\n", NULL) segfaults

[kir at sacred dot ru]

------- Additional Comments From kir at sacred dot ru  2009-10-21 10:53 -------


*** This bug has been marked as a duplicate of 5618 ***

-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|REOPENED                    |RESOLVED
         Resolution|                            |DUPLICATE


http://sourceware.org/bugzilla/show_bug.cgi?id=10818

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/10818] printf("%s\n", NULL) segfaults

[manu at gcc dot gnu dot org]

------- Additional Comments From manu at gcc dot gnu dot org  2009-10-21 11:49 -------
(In reply to comment #3)
> You don't understand.  The bug is in our code, not in glibc.

All related bugs are closed as INVALID. So nobody thinks there is a bug at all.

-- 


http://sourceware.org/bugzilla/show_bug.cgi?id=10818

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/10818] printf("%s\n", NULL) segfaults

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=10818

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
              Flags|                            |security-

-- 
You are receiving this mail because:
You are on the CC list for the bug.