This is the mail archive of the
libc-alpha@sources.redhat.com
mailing list for the glibc project.
Re: Possible bug in wcsxfrm() with included testcase
- From: Jakub Jelinek <jakub at redhat dot com>
- To: Art Haas <ahaas at airmail dot net>
- Cc: libc-alpha at sources dot redhat dot com
- Date: Tue, 22 Jul 2003 15:43:36 +0200
- Subject: Re: Possible bug in wcsxfrm() with included testcase
- References: <20030722132954.GA17577@artsapartment.org>
- Reply-to: Jakub Jelinek <jakub at redhat dot com>
On Tue, Jul 22, 2003 at 08:29:54AM -0500, Art Haas wrote:
> /* this function comes from glibc info pages */
> wchar_t *
> mbstouwcs (const char *s)
> {
> size_t len;
> wchar_t *result;
> wchar_t *wcp;
> wchar_t tmp[1];
> mbstate_t state;
> size_t nbytes;
>
> len = strlen(s);
> result = malloc((len + 1) * sizeof(wchar_t));
> if (result == NULL) {
> return NULL;
> }
> wcp = result;
> memset (&state, '\0', sizeof (state));
> while ((nbytes = mbrtowc (tmp, s, len, &state)) > 0)
> {
> if (nbytes >= (size_t) -2)
> /* Invalid input string. */
> return NULL;
> *result++ = towupper (tmp[0]);
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> len -= nbytes;
> s += nbytes;
> }
> return result;
^^^^^^^^^^^^^^^^^^
> }
...
> wcstr = mbstouwcs(cp);
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> wcsxfrm(result_wc, wcstr, xfrm_len + 1); /* BOOM! */
> free(result_wc);
> free(wcstr);
^^^^^^^^^^^^^^^^^^^^^^^
This doesn't look like a valid testcase. mbstouwcs returns the end of
the string, not the beginning (ie. what has been malloc'ed) and then you
free the pointer returned by it (ie. end, not start of the memory block).
Jakub