This is the mail archive of the mailing list for the glibc project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

[Bug string/19391] New: strnlen invokes UB by adding maxlen to str

            Bug ID: 19391
           Summary: strnlen invokes UB by adding maxlen to str
           Product: glibc
           Version: 2.24
            Status: NEW
          Severity: normal
          Priority: P2
         Component: string
          Assignee: unassigned at sourceware dot org
          Reporter: pascal_cuoq at hotmail dot com
  Target Milestone: ---

Consider the function strnlen:

size_t strnlen (const char *str, size_t maxlen);

The POSIX standard does not mandate that maxlen bytes are valid to access from
the pointer str:

The maxlen argument is used to limit the number of chars accessed (and the
length returned) but there is no constraint that all bytes between str + 0 and 
str + maxlen - 1  are part of a same object.

When maxlen is larger than the number of bytes that are part of an object
including str, the addition str + maxlen invokes undefined behavior:;a=blob;f=string/strnlen.c;h=d2bb843fddbf93eebb857cd0896cb3441bafa431;hb=HEAD#l36

The comparison end_ptr < str is nonsensical: it is always false when the
pointer arithmetic str + maxlen is defined. An optimizing compiler is allowed
to treat this expression as false:;a=blob;f=string/strnlen.c;h=d2bb843fddbf93eebb857cd0896cb3441bafa431;hb=HEAD#l43

Glibc is only intended to be compiled with GCC. Unfortunately, it is GCC that
made headlines in 2008 for optimizing âend_ptr < strâ-type pointer overflow
checks to false:

You are receiving this mail because:
You are on the CC list for the bug.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]