public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug libc/13138] New: scanf crashes on very long numbers
@ 2011-08-28 11:31 lanurmi at iki dot fi
2011-08-29 11:29 ` [Bug libc/13138] " thomas.jarosch at intra2net dot com
` (13 more replies)
0 siblings, 14 replies; 15+ messages in thread
From: lanurmi at iki dot fi @ 2011-08-28 11:31 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=13138
Bug #: 13138
Summary: scanf crashes on very long numbers
Product: glibc
Version: unspecified
Status: NEW
Severity: critical
Priority: P2
Component: libc
AssignedTo: drepper.fsp@gmail.com
ReportedBy: lanurmi@iki.fi
Classification: Unclassified
As pointed out by someone at
<http://marc.info/?l=gimp-developer&m=129567990905823&w=2>, the scanf
implementation of glibc will crash when given input containing a lot of digits.
This is the sample code copied from the post mentioned above:
#include <stdio.h>
int main()
{
int a;
scanf("%i", &a);
return 0;
}
Expected output none; actual output:
$ perl -e 'print "5"x21000000' | ./a.out
Segmentation fault
Tested and reproduced on:
RHEL 5.7 (x86_64)
Debian Squeeze (armv5tel)
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 15+ messages in thread
* [Bug libc/13138] scanf crashes on very long numbers
2011-08-28 11:31 [Bug libc/13138] New: scanf crashes on very long numbers lanurmi at iki dot fi
@ 2011-08-29 11:29 ` thomas.jarosch at intra2net dot com
2011-08-29 14:20 ` ppluzhnikov at google dot com
` (12 subsequent siblings)
13 siblings, 0 replies; 15+ messages in thread
From: thomas.jarosch at intra2net dot com @ 2011-08-29 11:29 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=13138
Thomas Jarosch <thomas.jarosch at intra2net dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |thomas.jarosch at intra2net
| |dot com
--- Comment #1 from Thomas Jarosch <thomas.jarosch at intra2net dot com> 2011-08-29 11:28:16 UTC ---
Same thing on Fedora 14 (x86_64).
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 15+ messages in thread
* [Bug libc/13138] scanf crashes on very long numbers
2011-08-28 11:31 [Bug libc/13138] New: scanf crashes on very long numbers lanurmi at iki dot fi
2011-08-29 11:29 ` [Bug libc/13138] " thomas.jarosch at intra2net dot com
@ 2011-08-29 14:20 ` ppluzhnikov at google dot com
2011-08-29 14:22 ` mpolacek at redhat dot com
` (11 subsequent siblings)
13 siblings, 0 replies; 15+ messages in thread
From: ppluzhnikov at google dot com @ 2011-08-29 14:20 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=13138
Paul Pluzhnikov <ppluzhnikov at google dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |ppluzhnikov at google dot
| |com
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 15+ messages in thread
* [Bug libc/13138] scanf crashes on very long numbers
2011-08-28 11:31 [Bug libc/13138] New: scanf crashes on very long numbers lanurmi at iki dot fi
2011-08-29 11:29 ` [Bug libc/13138] " thomas.jarosch at intra2net dot com
2011-08-29 14:20 ` ppluzhnikov at google dot com
@ 2011-08-29 14:22 ` mpolacek at redhat dot com
2011-09-02 15:07 ` lanurmi at iki dot fi
` (10 subsequent siblings)
13 siblings, 0 replies; 15+ messages in thread
From: mpolacek at redhat dot com @ 2011-08-29 14:22 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=13138
Marek Polacek <mpolacek at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |mpolacek at redhat dot com
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 15+ messages in thread
* [Bug libc/13138] scanf crashes on very long numbers
2011-08-28 11:31 [Bug libc/13138] New: scanf crashes on very long numbers lanurmi at iki dot fi
` (2 preceding siblings ...)
2011-08-29 14:22 ` mpolacek at redhat dot com
@ 2011-09-02 15:07 ` lanurmi at iki dot fi
2011-09-03 5:09 ` bugdal at aerifal dot cx
` (9 subsequent siblings)
13 siblings, 0 replies; 15+ messages in thread
From: lanurmi at iki dot fi @ 2011-09-02 15:07 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=13138
--- Comment #2 from Lauri Nurmi <lanurmi at iki dot fi> 2011-09-02 15:07:16 UTC ---
Good news everyone:
ISO C99 §7.19.6.2 item 10 says:
"[...] the result of the conversion is placed in the object pointed to by
[...]. If this object does not have an appropriate type, or if the result of
the conversion cannot be represented in the object, the behavior is undefined."
So the standard permits the crash; problem solved.
I'll leave this bug open though, so that alternatives to segfaulting can be
considered.
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 15+ messages in thread
* [Bug libc/13138] scanf crashes on very long numbers
2011-08-28 11:31 [Bug libc/13138] New: scanf crashes on very long numbers lanurmi at iki dot fi
` (3 preceding siblings ...)
2011-09-02 15:07 ` lanurmi at iki dot fi
@ 2011-09-03 5:09 ` bugdal at aerifal dot cx
2011-09-03 6:35 ` lanurmi at iki dot fi
` (8 subsequent siblings)
13 siblings, 0 replies; 15+ messages in thread
From: bugdal at aerifal dot cx @ 2011-09-03 5:09 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=13138
Rich Felker <bugdal at aerifal dot cx> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |bugdal at aerifal dot cx
--- Comment #3 from Rich Felker <bugdal at aerifal dot cx> 2011-09-03 05:08:56 UTC ---
POSIX uses the more-clear language "or if the result of the conversion cannot
be represented in the space provided" rather than "... in the object". In
either case, I believe this is referring to string conversions that overflow
the destination buffer, not numeric conversions. I can't find any language
regarding what happens when a numeric value is outside the range of the type,
but the expected form is specified in terms of strtol, etc., so it would not be
unreasonable to expect scanf to behave the same as these functions.
By the way, can the bug be reproduced with a huge string of zeros? If so, the
numeric overflow issue is irrelevant and the behavior is definitely
well-defined by the standard.
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 15+ messages in thread
* [Bug libc/13138] scanf crashes on very long numbers
2011-08-28 11:31 [Bug libc/13138] New: scanf crashes on very long numbers lanurmi at iki dot fi
` (4 preceding siblings ...)
2011-09-03 5:09 ` bugdal at aerifal dot cx
@ 2011-09-03 6:35 ` lanurmi at iki dot fi
2011-09-10 1:29 ` drepper.fsp at gmail dot com
` (7 subsequent siblings)
13 siblings, 0 replies; 15+ messages in thread
From: lanurmi at iki dot fi @ 2011-09-03 6:35 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=13138
--- Comment #4 from Lauri Nurmi <lanurmi at iki dot fi> 2011-09-03 06:33:54 UTC ---
(In reply to comment #3)
> By the way, can the bug be reproduced with a huge string of zeros?
Yes it can.
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 15+ messages in thread
* [Bug libc/13138] scanf crashes on very long numbers
2011-08-28 11:31 [Bug libc/13138] New: scanf crashes on very long numbers lanurmi at iki dot fi
` (5 preceding siblings ...)
2011-09-03 6:35 ` lanurmi at iki dot fi
@ 2011-09-10 1:29 ` drepper.fsp at gmail dot com
2014-06-13 14:34 ` fweimer at redhat dot com
` (6 subsequent siblings)
13 siblings, 0 replies; 15+ messages in thread
From: drepper.fsp at gmail dot com @ 2011-09-10 1:29 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=13138
Ulrich Drepper <drepper.fsp at gmail dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED
--- Comment #5 from Ulrich Drepper <drepper.fsp at gmail dot com> 2011-09-10 01:29:30 UTC ---
I checked in a patch.
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 15+ messages in thread
* [Bug libc/13138] scanf crashes on very long numbers
2011-08-28 11:31 [Bug libc/13138] New: scanf crashes on very long numbers lanurmi at iki dot fi
` (6 preceding siblings ...)
2011-09-10 1:29 ` drepper.fsp at gmail dot com
@ 2014-06-13 14:34 ` fweimer at redhat dot com
2015-02-26 9:21 ` fweimer at redhat dot com
` (5 subsequent siblings)
13 siblings, 0 replies; 15+ messages in thread
From: fweimer at redhat dot com @ 2014-06-13 14:34 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=13138
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |fweimer at redhat dot com
Flags| |security+
--- Comment #6 from Florian Weimer <fweimer at redhat dot com> ---
Fix: https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=3f8cc204fdd0
The fix is part of glibc 2.15. The issue was present since the dawn of times.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 15+ messages in thread
* [Bug libc/13138] scanf crashes on very long numbers
2011-08-28 11:31 [Bug libc/13138] New: scanf crashes on very long numbers lanurmi at iki dot fi
` (7 preceding siblings ...)
2014-06-13 14:34 ` fweimer at redhat dot com
@ 2015-02-26 9:21 ` fweimer at redhat dot com
2015-03-04 10:35 ` schwab@linux-m68k.org
` (4 subsequent siblings)
13 siblings, 0 replies; 15+ messages in thread
From: fweimer at redhat dot com @ 2015-02-26 9:21 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=13138
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
See Also| |https://sourceware.org/bugz
| |illa/show_bug.cgi?id=16618
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 15+ messages in thread
* [Bug libc/13138] scanf crashes on very long numbers
2011-08-28 11:31 [Bug libc/13138] New: scanf crashes on very long numbers lanurmi at iki dot fi
` (8 preceding siblings ...)
2015-02-26 9:21 ` fweimer at redhat dot com
@ 2015-03-04 10:35 ` schwab@linux-m68k.org
2015-03-04 18:52 ` fweimer at redhat dot com
` (3 subsequent siblings)
13 siblings, 0 replies; 15+ messages in thread
From: schwab@linux-m68k.org @ 2015-03-04 10:35 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=13138
--- Comment #7 from Andreas Schwab <schwab@linux-m68k.org> ---
Follow-up fix: https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=20b38e0
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 15+ messages in thread
* [Bug libc/13138] scanf crashes on very long numbers
2011-08-28 11:31 [Bug libc/13138] New: scanf crashes on very long numbers lanurmi at iki dot fi
` (9 preceding siblings ...)
2015-03-04 10:35 ` schwab@linux-m68k.org
@ 2015-03-04 18:52 ` fweimer at redhat dot com
2015-03-04 21:41 ` schwab@linux-m68k.org
` (2 subsequent siblings)
13 siblings, 0 replies; 15+ messages in thread
From: fweimer at redhat dot com @ 2015-03-04 18:52 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=13138
--- Comment #8 from Florian Weimer <fweimer at redhat dot com> ---
(In reply to Andreas Schwab from comment #7)
> Follow-up fix: https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=20b38e0
I think this is just a performance fix because the buffer is populated by one
character at a time, so __libc_use_alloca is always true on the first buffer
extension, and then we are in the use_malloc case.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 15+ messages in thread
* [Bug libc/13138] scanf crashes on very long numbers
2011-08-28 11:31 [Bug libc/13138] New: scanf crashes on very long numbers lanurmi at iki dot fi
` (10 preceding siblings ...)
2015-03-04 18:52 ` fweimer at redhat dot com
@ 2015-03-04 21:41 ` schwab@linux-m68k.org
2015-03-05 6:26 ` fweimer at redhat dot com
2015-03-05 10:10 ` schwab@linux-m68k.org
13 siblings, 0 replies; 15+ messages in thread
From: schwab@linux-m68k.org @ 2015-03-04 21:41 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=13138
--- Comment #9 from Andreas Schwab <schwab@linux-m68k.org> ---
It's still a logic error.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 15+ messages in thread
* [Bug libc/13138] scanf crashes on very long numbers
2011-08-28 11:31 [Bug libc/13138] New: scanf crashes on very long numbers lanurmi at iki dot fi
` (11 preceding siblings ...)
2015-03-04 21:41 ` schwab@linux-m68k.org
@ 2015-03-05 6:26 ` fweimer at redhat dot com
2015-03-05 10:10 ` schwab@linux-m68k.org
13 siblings, 0 replies; 15+ messages in thread
From: fweimer at redhat dot com @ 2015-03-05 6:26 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=13138
--- Comment #10 from Florian Weimer <fweimer at redhat dot com> ---
(In reply to Andreas Schwab from comment #9)
> It's still a logic error.
What do you mean? Clearly, the code does not do what is intended, but as far
as I can tell, there is no observable impact whatsoever (not even performance).
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 15+ messages in thread
* [Bug libc/13138] scanf crashes on very long numbers
2011-08-28 11:31 [Bug libc/13138] New: scanf crashes on very long numbers lanurmi at iki dot fi
` (12 preceding siblings ...)
2015-03-05 6:26 ` fweimer at redhat dot com
@ 2015-03-05 10:10 ` schwab@linux-m68k.org
13 siblings, 0 replies; 15+ messages in thread
From: schwab@linux-m68k.org @ 2015-03-05 10:10 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=13138
--- Comment #11 from Andreas Schwab <schwab@linux-m68k.org> ---
A logic error is an error in the logic.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 15+ messages in thread
end of thread, other threads:[~2015-03-05 10:10 UTC | newest]
Thread overview: 15+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-08-28 11:31 [Bug libc/13138] New: scanf crashes on very long numbers lanurmi at iki dot fi
2011-08-29 11:29 ` [Bug libc/13138] " thomas.jarosch at intra2net dot com
2011-08-29 14:20 ` ppluzhnikov at google dot com
2011-08-29 14:22 ` mpolacek at redhat dot com
2011-09-02 15:07 ` lanurmi at iki dot fi
2011-09-03 5:09 ` bugdal at aerifal dot cx
2011-09-03 6:35 ` lanurmi at iki dot fi
2011-09-10 1:29 ` drepper.fsp at gmail dot com
2014-06-13 14:34 ` fweimer at redhat dot com
2015-02-26 9:21 ` fweimer at redhat dot com
2015-03-04 10:35 ` schwab@linux-m68k.org
2015-03-04 18:52 ` fweimer at redhat dot com
2015-03-04 21:41 ` schwab@linux-m68k.org
2015-03-05 6:26 ` fweimer at redhat dot com
2015-03-05 10:10 ` schwab@linux-m68k.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).