This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug string/19391] New: strnlen invokes UB by adding maxlen to str
- From: "pascal_cuoq at hotmail dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Mon, 21 Dec 2015 22:51:06 +0000
- Subject: [Bug string/19391] New: strnlen invokes UB by adding maxlen to str
- Auto-submitted: auto-generated
https://sourceware.org/bugzilla/show_bug.cgi?id=19391
Bug ID: 19391
Summary: strnlen invokes UB by adding maxlen to str
Product: glibc
Version: 2.24
Status: NEW
Severity: normal
Priority: P2
Component: string
Assignee: unassigned at sourceware dot org
Reporter: pascal_cuoq at hotmail dot com
Target Milestone: ---
Consider the function strnlen:
size_t strnlen (const char *str, size_t maxlen);
The POSIX standard does not mandate that maxlen bytes are valid to access from
the pointer str:
http://pubs.opengroup.org/onlinepubs/9699919799/functions/strlen.html
The maxlen argument is used to limit the number of chars accessed (and the
length returned) but there is no constraint that all bytes between str + 0 and
str + maxlen - 1 are part of a same object.
When maxlen is larger than the number of bytes that are part of an object
including str, the addition str + maxlen invokes undefined behavior:
https://sourceware.org/git/?p=glibc.git;a=blob;f=string/strnlen.c;h=d2bb843fddbf93eebb857cd0896cb3441bafa431;hb=HEAD#l36
The comparison end_ptr < str is nonsensical: it is always false when the
pointer arithmetic str + maxlen is defined. An optimizing compiler is allowed
to treat this expression as false:
https://sourceware.org/git/?p=glibc.git;a=blob;f=string/strnlen.c;h=d2bb843fddbf93eebb857cd0896cb3441bafa431;hb=HEAD#l43
Glibc is only intended to be compiled with GCC. Unfortunately, it is GCC that
made headlines in 2008 for optimizing âend_ptr < strâ-type pointer overflow
checks to false:
https://lwn.net/Articles/278137/
--
You are receiving this mail because:
You are on the CC list for the bug.