From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=Ac6v=42=compiler.ai=bugs@sourceware.org>
Received: from mail-ej1-x631.google.com (mail-ej1-x631.google.com [IPv6:2a00:1450:4864:20::631])
	by sourceware.org (Postfix) with ESMTPS id 1164F3858D33
	for <newlib@sourceware.org>; Wed, 28 Dec 2022 11:32:01 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 1164F3858D33
Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=compiler.ai
Authentication-Results: sourceware.org; spf=none smtp.mailfrom=compiler.ai
Received: by mail-ej1-x631.google.com with SMTP id m18so37719726eji.5
        for <newlib@sourceware.org>; Wed, 28 Dec 2022 03:32:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=compiler-ai.20210112.gappssmtp.com; s=20210112;
        h=cc:to:subject:message-id:date:from:mime-version:from:to:cc:subject
         :date:message-id:reply-to;
        bh=Xjmn5fVPs8aqXuTUK4bSDQIOc7DYQT3IRpyO7VilOCw=;
        b=3pO2bpCMYHF8JycGddsMf6x2Yp4UOYudUdI5IabBhg4YAgFB9eIWyvAlyiayXXkzIj
         HW2VUEee3DuEJ88I9DdbVj26QzjJEEm4CHDySXdlx1OOAbTfymRA5cDiYtKggIjVnvTW
         VeVQ6Qpxblej0ub5PlrXE270+TP6f6OCI8BiXh5SK73LebgKj4v0dvdadMFeqC6kD6k4
         SkbUeHt3AYV7B0L2wSIVbLvVshx5jZdFb5KzrNremtRfZo2fxYfhq2UD/hn4WHx+qETa
         jrJpkhFjb6ONNINMYmCbGn7zEC61xXWxdf2tJKkLnIEKVGaIWYSPbQ8euTaFt9p/YP9S
         G18Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=cc:to:subject:message-id:date:from:mime-version:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=Xjmn5fVPs8aqXuTUK4bSDQIOc7DYQT3IRpyO7VilOCw=;
        b=pNkaIin8Fnr4WLwBXmmkxnrd4hBhv8hLeIiUmEvwTtUwsZfnTo25RUOFZgwEl9JtZj
         i5aV7YtNBLyAIXdeuxjTlWGOU7tE+PKAn//UMX0DX49dillMPzWxDYFCwTESQd46Qdlr
         ANW/J5+I3jvsfFbVtMHTDsFj1miA33mpyxWjX3Uly9ffMugFtip40+q9QofdUZwO4C1U
         Yv2O01yIdbGCg21JBboDdFBecKnY0mHfSaHGDkCwrFlBSNEOMf4qJrEE1kMaVIRWTF66
         0sCisyiCMxy1UsgRCRXeYkGOr6AB9rdqZp0g1IxIc8Pn0XFIcoFCc6R81gzhj1STLDgz
         8FDg==
X-Gm-Message-State: AFqh2kqevibhlCydS2n5zkLhwWzU+3i+M8GyekKqn+a8OASqqXIAXyhH
	iZlR8XcDOwI0+uwrA4yTU6zdd/URlEzB1ynlbLCTXbN7mnS84nyW
X-Google-Smtp-Source: AMrXdXt+qJb458wxCEXwf0hxtLzN0wReo543vKCnNgH9flUl94XeD3A9m+sMmiZCfSyLDssfnY+NKFPPPTF6pCQcdnw=
X-Received: by 2002:a17:906:5048:b0:83c:7449:792c with SMTP id
 e8-20020a170906504800b0083c7449792cmr2826697ejk.19.1672227119376; Wed, 28 Dec
 2022 03:31:59 -0800 (PST)
MIME-Version: 1.0
From: Bugs Reporter <bugs@compiler.ai>
Date: Wed, 28 Dec 2022 17:01:48 +0530
Message-ID: <CAB_V0MAXh9QOBARo-G3YnxmBS5fk4_70cE33vMppgg4HvNe=8w@mail.gmail.com>
Subject: Bug in memccpy
To: newlib@sourceware.org
Cc: sbansal@iitd.ac.in, shubhani@sit.iitd.ac.in, abhishek.rose@cse.iitd.ac.in, 
	Jai.Arora.cs518@cse.iitd.ac.in
Content-Type: multipart/alternative; boundary="0000000000006f47c805f0e1b7f4"
X-Spam-Status: No, score=-1.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_NONE,TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
List-Id: <newlib.sourceware.org>

--0000000000006f47c805f0e1b7f4
Content-Type: text/plain; charset="UTF-8"

Hi,

I am writing to report a bug in the memccpy function of newlib.
The bug is in the C implementation of memccpy as located in the
newlib/libc/string/ directory of the newlib repository. The newlib version
was `4.2.0` and the source code was downloaded from the latest release
<https://sourceware.org/pub/newlib/newlib-4.2.0.20211231.tar.gz> on the
official website.
Please find a detailed report below.

memccpy():
As specified in the OpenBSD manpage[0], memccpy should convert the input
argument `c` to `unsigned char` before performing the check. Newlib's fast
implementation of `memccpy` (when the macros `PREFER_SIZE_OVER_SPEED` and
`__OPTIMIZE_SIZE__` are not defined) converts `c` to `signed char` (stored
in endchar) and computes a mask as follows:
```
for (i = 0; i < LITTLEBLOCKSIZE; i++)
    mask = (mask << 8) + endchar;
```
This is used to detect `endchar` in one long word and is supposed to
represent a word whose each byte has the same value as `endchar`. But if
the input character lies in the extended ASCII set, then `endchar` is
negative, which leads to an incorrect mask computation.

An example input is:
    const char src[] = {1, 2, 3, 4, 5, 192, 6, 7};
    char dst[8] = {'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H'};
    memccpy(dst, src, 192, 8);
    if (dst[7] != 'H') {
        printf("BUG!\n");
    }

The file that demonstrates the bug can be found here
<https://github.com/compilerai/bug-reports/blob/master/bug_files/newlib_memccpy_bug.c>
.
A patch that applies the necessary fix is available here
<https://github.com/compilerai/bug-reports/blob/master/patch/newlib_memccpy.patch>
.

0: https://man.openbsd.org/memccpy

Thanks,

Jai Arora, Abhishek Rose, Shubhani Gupta, Sorav Bansal
CompilerAI Research Group
IIT Delhi, India

--0000000000006f47c805f0e1b7f4--