This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug string/19411] New: mbrtoc16 and mbrtowc: UB when n is larger than input size
- From: "cherepan at mccme dot ru" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Mon, 28 Dec 2015 14:08:45 +0000
- Subject: [Bug string/19411] New: mbrtoc16 and mbrtowc: UB when n is larger than input size
- Auto-submitted: auto-generated
https://sourceware.org/bugzilla/show_bug.cgi?id=19411
Bug ID: 19411
Summary: mbrtoc16 and mbrtowc: UB when n is larger than input
size
Product: glibc
Version: 2.22
Status: NEW
Severity: normal
Priority: P2
Component: string
Assignee: unassigned at sourceware dot org
Reporter: cherepan at mccme dot ru
Target Milestone: ---
The functions
size_t mbrtowc (wchar_t *pwc, const char *s, size_t n, mbstate_t *ps)
size_t mbrtoc16 (char16_t *pc16, const char *s, size_t n, mbstate_t *ps)
have a limit n on the number of processed bytes but it seems that the source
array s is not required to contain n accessible bytes. At least the commit
https://sourceware.org/git/?p=glibc.git;a=commit;h=16edf13b226dbe5f4f39794cfa363904af2c7973
added checks for pointer wrapping into mbrtowc and a test case with n=SIZE_MAX
(the test case uses mbtowc which in turn passes everything to __mbrtowc).
The check looks like this:
endbuf = inbuf + n;
if (__glibc_unlikely (endbuf < inbuf))
https://sourceware.org/git/?p=glibc.git;a=blob;f=wcsmbs/mbrtowc.c;h=dbfe9403a64a544a233a7b9d8f6bcab92d9edb28;hb=HEAD#l74
https://sourceware.org/git/?p=glibc.git;a=blob;f=wcsmbs/mbrtoc16.c;h=f23b24262b8fffaeed67c57155e47379e44b48fd;hb=HEAD#l92
This code is invalid. The sum "inbuf + n" is undefined by the C standard when
the result doesn't point into the same array. Then, checks for pointer wrapping
like "endbuf < inbuf" are already "miscompiled" by clang and, I guess, could be
expected to be broken by gcc in the future.
Similar to pr19391.
--
You are receiving this mail because:
You are on the CC list for the bug.