* Bug in memccpy
@ 2022-12-28 11:31 Bugs Reporter
2023-01-03 19:54 ` Jeff Johnston
0 siblings, 1 reply; 2+ messages in thread
From: Bugs Reporter @ 2022-12-28 11:31 UTC (permalink / raw)
To: newlib; +Cc: sbansal, shubhani, abhishek.rose, Jai.Arora.cs518
[-- Attachment #1: Type: text/plain, Size: 1757 bytes --]
Hi,
I am writing to report a bug in the memccpy function of newlib.
The bug is in the C implementation of memccpy as located in the
newlib/libc/string/ directory of the newlib repository. The newlib version
was `4.2.0` and the source code was downloaded from the latest release
<https://sourceware.org/pub/newlib/newlib-4.2.0.20211231.tar.gz> on the
official website.
Please find a detailed report below.
memccpy():
As specified in the OpenBSD manpage[0], memccpy should convert the input
argument `c` to `unsigned char` before performing the check. Newlib's fast
implementation of `memccpy` (when the macros `PREFER_SIZE_OVER_SPEED` and
`__OPTIMIZE_SIZE__` are not defined) converts `c` to `signed char` (stored
in endchar) and computes a mask as follows:
```
for (i = 0; i < LITTLEBLOCKSIZE; i++)
mask = (mask << 8) + endchar;
```
This is used to detect `endchar` in one long word and is supposed to
represent a word whose each byte has the same value as `endchar`. But if
the input character lies in the extended ASCII set, then `endchar` is
negative, which leads to an incorrect mask computation.
An example input is:
const char src[] = {1, 2, 3, 4, 5, 192, 6, 7};
char dst[8] = {'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H'};
memccpy(dst, src, 192, 8);
if (dst[7] != 'H') {
printf("BUG!\n");
}
The file that demonstrates the bug can be found here
<https://github.com/compilerai/bug-reports/blob/master/bug_files/newlib_memccpy_bug.c>
.
A patch that applies the necessary fix is available here
<https://github.com/compilerai/bug-reports/blob/master/patch/newlib_memccpy.patch>
.
0: https://man.openbsd.org/memccpy
Thanks,
Jai Arora, Abhishek Rose, Shubhani Gupta, Sorav Bansal
CompilerAI Research Group
IIT Delhi, India
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Bug in memccpy
2022-12-28 11:31 Bug in memccpy Bugs Reporter
@ 2023-01-03 19:54 ` Jeff Johnston
0 siblings, 0 replies; 2+ messages in thread
From: Jeff Johnston @ 2023-01-03 19:54 UTC (permalink / raw)
To: Bugs Reporter; +Cc: newlib, sbansal, shubhani, abhishek.rose, Jai.Arora.cs518
[-- Attachment #1: Type: text/plain, Size: 2016 bytes --]
Hello,
Thanks for the patch. It has been pushed to the master repo.
-- Jeff J.
On Wed, Dec 28, 2022 at 6:32 AM Bugs Reporter <bugs@compiler.ai> wrote:
> Hi,
>
> I am writing to report a bug in the memccpy function of newlib.
> The bug is in the C implementation of memccpy as located in the
> newlib/libc/string/ directory of the newlib repository. The newlib version
> was `4.2.0` and the source code was downloaded from the latest release
> <https://sourceware.org/pub/newlib/newlib-4.2.0.20211231.tar.gz> on the
> official website.
> Please find a detailed report below.
>
> memccpy():
> As specified in the OpenBSD manpage[0], memccpy should convert the input
> argument `c` to `unsigned char` before performing the check. Newlib's fast
> implementation of `memccpy` (when the macros `PREFER_SIZE_OVER_SPEED` and
> `__OPTIMIZE_SIZE__` are not defined) converts `c` to `signed char` (stored
> in endchar) and computes a mask as follows:
> ```
> for (i = 0; i < LITTLEBLOCKSIZE; i++)
> mask = (mask << 8) + endchar;
> ```
> This is used to detect `endchar` in one long word and is supposed to
> represent a word whose each byte has the same value as `endchar`. But if
> the input character lies in the extended ASCII set, then `endchar` is
> negative, which leads to an incorrect mask computation.
>
> An example input is:
> const char src[] = {1, 2, 3, 4, 5, 192, 6, 7};
> char dst[8] = {'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H'};
> memccpy(dst, src, 192, 8);
> if (dst[7] != 'H') {
> printf("BUG!\n");
> }
>
> The file that demonstrates the bug can be found here
> <
> https://github.com/compilerai/bug-reports/blob/master/bug_files/newlib_memccpy_bug.c
> >
> .
> A patch that applies the necessary fix is available here
> <
> https://github.com/compilerai/bug-reports/blob/master/patch/newlib_memccpy.patch
> >
> .
>
> 0: https://man.openbsd.org/memccpy
>
> Thanks,
>
> Jai Arora, Abhishek Rose, Shubhani Gupta, Sorav Bansal
> CompilerAI Research Group
> IIT Delhi, India
>
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2023-01-03 19:54 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-12-28 11:31 Bug in memccpy Bugs Reporter
2023-01-03 19:54 ` Jeff Johnston
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).