This is the mail archive of the
libc-alpha@sourceware.cygnus.com
mailing list for the glibc project.
Ad PR libc/1730: glibc bug in memmem()
- To: libc-alpha Mailinglist <libc-alpha at sourceware dot cygnus dot com>
- Subject: Ad PR libc/1730: glibc bug in memmem()
- From: Andreas Jaeger <aj at suse dot de>
- Date: 17 May 2000 09:43:33 +0200
- Cc: Greg Hudson <ghudson at mit dot edu>
The appended bug report has been reported for glibc's memmem
implementation.
I propose the appended patch. What do you think?
Andreas
2000-05-17 Andreas Jaeger <aj@suse.de>
* sysdeps/generic/memmem.c (memmem): Check for invalid parameter.
Closes PR libc/1730, reported by Greg Hudson <ghudson@mit.edu>.
============================================================
Index: sysdeps/generic/memmem.c
--- sysdeps/generic/memmem.c 1998/01/30 13:39:22 1.10
+++ sysdeps/generic/memmem.c 2000/05/17 07:42:03
@@ -1,4 +1,4 @@
-/* Copyright (C) 1991, 92, 93, 94, 96, 97, 98 Free Software Foundation, Inc.
+/* Copyright (C) 1991,92,93,94,96,97,98,2000 Free Software Foundation, Inc.
This file is part of the GNU C Library.
The GNU C Library is free software; you can redistribute it and/or
@@ -37,6 +37,11 @@
/* The first occurrence of the empty string is deemed to occur at
the beginning of the string. */
return (void *) haystack;
+
+ /* Sanity check, otherwise the loop will search through the whole
+ memory. */
+ if (haystack_len < needle_len)
+ return NULL;
for (begin = (const char *) haystack; begin <= last_possible; ++begin)
if (begin[0] == ((const char *) needle)[0] &&
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From: Greg Hudson <ghudson@mit.edu>
To: bugs@gnu.org
Subject: glibc bug in memmem()
>Number: 1730
>Category: libc
>Synopsis: glibc bug in memmem()
>Confidential: yes
>Severity: serious
>Priority: medium
>Responsible: libc-gnats
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Wed May 10 21:50:01 EDT 2000
>Last-Modified: Wed May 17 03:20:19 EDT 2000
>Originator:
>Organization:
>Release:
>Environment:
>Description:
>How-To-Repeat:
>Fix:
>Audit-Trail:
Responsible-Changed-From-To: gnats-admin->libc-gnats
Responsible-Changed-By: jaeger
Responsible-Changed-When: Wed May 17 03:20:10 2000
Responsible-Changed-Why:
This is a glibc bug.
Andreas
>Unformatted:
(I'd use the glibcbug shell script, but that only exists if you've
built glibc, which I haven't; I merely cribbed some of its code.)
memmem() begins with the following computation:
last_possible = (const char *) haystack + haystack_len - needle_len;
This computation computes an invalid pointer value if haystack_len is
less than needle_len. In particular, if haystack is 0 and
haystack_len is 0 (which is perfectly valid and reasonable on a system
where malloc(0) returns 0), then the value computed will be some large
pointer, and memmem() will dereference invalid memory in its loop.
You need a special-case check for haystack_len < needle_len.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--
Andreas Jaeger
SuSE Labs aj@suse.de
private aj@arthur.inka.de