Bug 14404 - strtod causes invalid memory access on certain inputs
Summary: strtod causes invalid memory access on certain inputs
Status: RESOLVED INVALID
Alias: None
Product: glibc
Classification: Unclassified
Component: libc (show other bugs)
Version: 2.16
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-07-25 19:37 UTC by Charles Salvia
Modified: 2014-06-17 18:55 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:
fweimer: security-

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Charles Salvia 2012-07-25 19:37:16 UTC 
The function strtod in GLIBC, (implemented in stdlib/strtod_l.c), has a bug when checking for "inf" or "nan" in strtod_l.c.

The issue causes Valgrind to report an invalid memory access.  It can be reproduced easily by simply trying to use strtod on a string that starts with the letter "i" or "n":

	char* s = malloc(12);
	memset(s, 0, 12);
	strcpy(s, "ichabod");
	double v = std::strtod(s, NULL);

This causes Valgrind to report:

==20062== Invalid read of size 8
==20062==    at 0x565A147: __GI___strncasecmp_l (strcmp.S:215)
==20062==    by 0x5610F5E: ____strtod_l_internal (strtod_l.c:577)
==20062==    by 0x404B43: main (test4.cc:310)
==20062==  Address 0x5971048 is 8 bytes inside a block of size 12 alloc'd
==20062==    at 0x4C28F9F: malloc (vg_replace_malloc.c:236)
==20062==    by 0x404B07: main (test4.cc:307)

The bug seems to have something to do with the use of STRNCASECMP macro when checking for "inf" and "nan".
Comment 1 Andreas Schwab 2012-07-25 20:30:01 UTC 
This is a false positive due to read-ahead and reading from a 16-byte aligned address cannot cross a page boundary.  valgrind needs to white-list that access.