The bug is that some implementations assume that maxlen or n from wcsnlen and wmemchr/wcsncat times sizeof(wchar_t) will not overflow. It appears, however that there is no defined limit on maxlen * sizeof(wchar_t) https://marc.info/?l=glibc-alpha&m=162323134028410&w=2 This bug would found in the following x86_64 implementations of wcsnlen and wmemchr. wcsnlen-sse4_1 -> https://sourceware.org/git/?p=glibc.git;a=blob;f=sysdeps/x86_64/strlen.S;h=d223ea1700a7d0cb0dcf9c8f251f09d5b9eea91e;hb=HEAD#l68 wcsnlen-avx2 -> https://sourceware.org/git/?p=glibc.git;a=blob;f=sysdeps/x86_64/multiarch/strlen-avx2.S;h=bd2e6ee44a8ae113dfdb0de8bc6fc1b405d7ef28;hb=HEAD#l57 wmemchr-sse2 -> https://sourceware.org/git/?p=glibc.git;a=blob;f=sysdeps/x86_64/memchr.S;h=beff2708de6a1e40de4141f94ff6fe763f041164;hb=HEAD#l39 wmemchr-avx2 -> https://sourceware.org/git/?p=glibc.git;a=blob;f=sysdeps/x86_64/multiarch/memchr-avx2.S;h=0d8758e3e7190fbe54243312b7ecc2952e85465a;hb=HEAD#l66 This bug will also be present in wcsncat which uses wcsnlen: https://sourceware.org/git/?p=glibc.git;a=blob;f=wcsmbs/wcsncat.c;h=27de72af6c7733fe0e27661874b64d57659b5ed9;hb=HEAD#l34 For example with a string of length 1000 the following cases would highlight the bug: wmemchr(string_length_1000, 0, (2^62) + 1) // would return NULL rather than s + 1000 wcsnlen(string_length_1000, (2^62) + 1) // would return 1 rather than 1000 wcsncat(s2, string_length_1000, (2^62) + 1) // would only copy 1 wide char
Fixed in commits: String: Add overflow tests for strnlen, memchr, and strncat [BZ #27974] da5a6fba0febbfc90896ce1b2eb75c6d8a88a72d x86: Fix overflow bug with wmemchr-sse2 and wmemchr-avx2 [BZ #27974] 645a158978f9520e74074e8c14047503be4db0f0 x86: Fix overflow bug in wcsnlen-sse4_1 and wcsnlen-avx2 [BZ #27974] a775a7a3eb1e85b54af0b4ee5ff4dcf66772a1fb
The release/2.33/master branch has been updated by H.J. Lu <hjl@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=25941de34e1ab24b869702f4a8caca330f0498a1 commit 25941de34e1ab24b869702f4a8caca330f0498a1 Author: H.J. Lu <hjl.tools@gmail.com> Date: Thu Jan 27 13:10:09 2022 -0800 NEWS: Add a bug fix entry for BZ #27974
The release/2.32/master branch has been updated by H.J. Lu <hjl@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=bee0b69a58e341b70b2f9db6078ae047827ff209 commit bee0b69a58e341b70b2f9db6078ae047827ff209 Author: H.J. Lu <hjl.tools@gmail.com> Date: Thu Jan 27 14:46:15 2022 -0800 NEWS: Add a bug fix entry for BZ #27974
The release/2.31/master branch has been updated by H.J. Lu <hjl@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=70d293a158680bd40b07de1cd772bd833ff263f4 commit 70d293a158680bd40b07de1cd772bd833ff263f4 Author: H.J. Lu <hjl.tools@gmail.com> Date: Thu Jan 27 15:50:22 2022 -0800 NEWS: Add a bug fix entry for BZ #27974
The release/2.30/master branch has been updated by H.J. Lu <hjl@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=25ed98a8827c083c8241cf9b5e2d2ec81c9dbe6f commit 25ed98a8827c083c8241cf9b5e2d2ec81c9dbe6f Author: H.J. Lu <hjl.tools@gmail.com> Date: Thu Jan 27 16:02:09 2022 -0800 NEWS: Add a bug fix entry for BZ #27974
The release/2.29/master branch has been updated by H.J. Lu <hjl@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=a0ed5893fcc2e236d9f3e9ad7651efdbdecbcc2b commit a0ed5893fcc2e236d9f3e9ad7651efdbdecbcc2b Author: H.J. Lu <hjl.tools@gmail.com> Date: Thu Jan 27 16:27:20 2022 -0800 NEWS: Add a bug fix entry for BZ #27974
The release/2.28/master branch has been updated by H.J. Lu <hjl@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=b0fcf886725f666e3406069fe33166bedc1efa91 commit b0fcf886725f666e3406069fe33166bedc1efa91 Author: H.J. Lu <hjl.tools@gmail.com> Date: Thu Jan 27 16:37:50 2022 -0800 NEWS: Add a bug fix entry for BZ #27974
Fixed for 2.34 and all release branches.