[Bug libc/13138] New: scanf crashes on very long numbers

[Bug libc/13138] New: scanf crashes on very long numbers

[lanurmi at iki dot fi]

http://sourceware.org/bugzilla/show_bug.cgi?id=13138

             Bug #: 13138
           Summary: scanf crashes on very long numbers
           Product: glibc
           Version: unspecified
            Status: NEW
          Severity: critical
          Priority: P2
         Component: libc
        AssignedTo: drepper.fsp@gmail.com
        ReportedBy: lanurmi@iki.fi
    Classification: Unclassified


As pointed out by someone at
<http://marc.info/?l=gimp-developer&m=129567990905823&w=2>, the scanf
implementation of glibc will crash when given input containing a lot of digits.

This is the sample code copied from the post mentioned above:

#include <stdio.h>
int main()
{
    int a;
    scanf("%i", &a);
    return 0;
}

Expected output none; actual output:

$ perl -e 'print "5"x21000000' | ./a.out
Segmentation fault

Tested and reproduced on:
RHEL 5.7 (x86_64)
Debian Squeeze (armv5tel)

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug libc/13138] scanf crashes on very long numbers

[thomas.jarosch at intra2net dot com]

http://sourceware.org/bugzilla/show_bug.cgi?id=13138

Thomas Jarosch <thomas.jarosch at intra2net dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |thomas.jarosch at intra2net
                   |                            |dot com

--- Comment #1 from Thomas Jarosch <thomas.jarosch at intra2net dot com> 2011-08-29 11:28:16 UTC ---
Same thing on Fedora 14 (x86_64).

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug libc/13138] scanf crashes on very long numbers

[ppluzhnikov at google dot com]

http://sourceware.org/bugzilla/show_bug.cgi?id=13138

Paul Pluzhnikov <ppluzhnikov at google dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |ppluzhnikov at google dot
                   |                            |com

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug libc/13138] scanf crashes on very long numbers

[mpolacek at redhat dot com]

http://sourceware.org/bugzilla/show_bug.cgi?id=13138

Marek Polacek <mpolacek at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |mpolacek at redhat dot com

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug libc/13138] scanf crashes on very long numbers

[lanurmi at iki dot fi]

http://sourceware.org/bugzilla/show_bug.cgi?id=13138

--- Comment #2 from Lauri Nurmi <lanurmi at iki dot fi> 2011-09-02 15:07:16 UTC ---
Good news everyone:
ISO C99 §7.19.6.2 item 10 says:
"[...] the result of the conversion is placed in the object pointed to by
[...]. If this object does not have an appropriate type, or if the result of
the conversion cannot be represented in the object, the behavior is undefined."

So the standard permits the crash; problem solved.

I'll leave this bug open though, so that alternatives to segfaulting can be
considered.

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug libc/13138] scanf crashes on very long numbers

[bugdal at aerifal dot cx]

http://sourceware.org/bugzilla/show_bug.cgi?id=13138

Rich Felker <bugdal at aerifal dot cx> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |bugdal at aerifal dot cx

--- Comment #3 from Rich Felker <bugdal at aerifal dot cx> 2011-09-03 05:08:56 UTC ---
POSIX uses the more-clear language "or if the result of the conversion cannot
be represented in the space provided" rather than "... in the object". In
either case, I believe this is referring to string conversions that overflow
the destination buffer, not numeric conversions. I can't find any language
regarding what happens when a numeric value is outside the range of the type,
but the expected form is specified in terms of strtol, etc., so it would not be
unreasonable to expect scanf to behave the same as these functions.

By the way, can the bug be reproduced with a huge string of zeros? If so, the
numeric overflow issue is irrelevant and the behavior is definitely
well-defined by the standard.

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug libc/13138] scanf crashes on very long numbers

[lanurmi at iki dot fi]

http://sourceware.org/bugzilla/show_bug.cgi?id=13138

--- Comment #4 from Lauri Nurmi <lanurmi at iki dot fi> 2011-09-03 06:33:54 UTC ---
(In reply to comment #3)
> By the way, can the bug be reproduced with a huge string of zeros?

Yes it can.

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug libc/13138] scanf crashes on very long numbers

[drepper.fsp at gmail dot com]

http://sourceware.org/bugzilla/show_bug.cgi?id=13138

Ulrich Drepper <drepper.fsp at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED

--- Comment #5 from Ulrich Drepper <drepper.fsp at gmail dot com> 2011-09-10 01:29:30 UTC ---
I checked in a patch.

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug libc/13138] scanf crashes on very long numbers

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=13138

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fweimer at redhat dot com
              Flags|                            |security+

--- Comment #6 from Florian Weimer <fweimer at redhat dot com> ---
Fix: https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=3f8cc204fdd0

The fix is part of glibc 2.15.  The issue was present since the dawn of times.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/13138] scanf crashes on very long numbers

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=13138

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           See Also|                            |https://sourceware.org/bugz
                   |                            |illa/show_bug.cgi?id=16618

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/13138] scanf crashes on very long numbers

[schwab@linux-m68k.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=13138

--- Comment #7 from Andreas Schwab <schwab@linux-m68k.org> ---
Follow-up fix: https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=20b38e0

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/13138] scanf crashes on very long numbers

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=13138

--- Comment #8 from Florian Weimer <fweimer at redhat dot com> ---
(In reply to Andreas Schwab from comment #7)
> Follow-up fix: https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=20b38e0

I think this is just a performance fix because the buffer is populated by one
character at a time, so __libc_use_alloca is always true on the first buffer
extension, and then we are in the use_malloc case.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/13138] scanf crashes on very long numbers

[schwab@linux-m68k.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=13138

--- Comment #9 from Andreas Schwab <schwab@linux-m68k.org> ---
It's still a logic error.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/13138] scanf crashes on very long numbers

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=13138

--- Comment #10 from Florian Weimer <fweimer at redhat dot com> ---
(In reply to Andreas Schwab from comment #9)
> It's still a logic error.

What do you mean?  Clearly, the code does not do what is intended, but as far
as I can tell, there is no observable impact whatsoever (not even performance).

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/13138] scanf crashes on very long numbers

[schwab@linux-m68k.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=13138

--- Comment #11 from Andreas Schwab <schwab@linux-m68k.org> ---
A logic error is an error in the logic.

-- 
You are receiving this mail because:
You are on the CC list for the bug.