This is the mail archive of the
mailing list for the glibc project.
[Bug string/19411] New: mbrtoc16 and mbrtowc: UB when n is larger than input size
- From: "cherepan at mccme dot ru" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Mon, 28 Dec 2015 14:08:45 +0000
- Subject: [Bug string/19411] New: mbrtoc16 and mbrtowc: UB when n is larger than input size
- Auto-submitted: auto-generated
Bug ID: 19411
Summary: mbrtoc16 and mbrtowc: UB when n is larger than input
Assignee: unassigned at sourceware dot org
Reporter: cherepan at mccme dot ru
Target Milestone: ---
size_t mbrtowc (wchar_t *pwc, const char *s, size_t n, mbstate_t *ps)
size_t mbrtoc16 (char16_t *pc16, const char *s, size_t n, mbstate_t *ps)
have a limit n on the number of processed bytes but it seems that the source
array s is not required to contain n accessible bytes. At least the commit
added checks for pointer wrapping into mbrtowc and a test case with n=SIZE_MAX
(the test case uses mbtowc which in turn passes everything to __mbrtowc).
The check looks like this:
endbuf = inbuf + n;
if (__glibc_unlikely (endbuf < inbuf))
This code is invalid. The sum "inbuf + n" is undefined by the C standard when
the result doesn't point into the same array. Then, checks for pointer wrapping
like "endbuf < inbuf" are already "miscompiled" by clang and, I guess, could be
expected to be broken by gcc in the future.
Similar to pr19391.
You are receiving this mail because:
You are on the CC list for the bug.