[Bug libc/12424] strtod() reads past the string end

["bz at rv6502 dot com" <sourceware-bugzilla at sourceware dot org>]

http://sourceware.org/bugzilla/show_bug.cgi?id=12424

Stephane Hockenhull <bz at rv6502 dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
                 CC|                            |bz at rv6502 dot com
            Version|2.13                        |2.15
         Resolution|INVALID                     |

--- Comment #3 from Stephane Hockenhull <bz at rv6502 dot com> 2013-02-14 01:06:40 UTC ---

glibc code is reading past the string end: it is a bug.

----------- strtod.cpp ---------
#include <stdio.h>
#include <stdlib.h>
#include <string>
#include <gnu/libc-version.h>

int main()
{
    printf("GLIBC: %s\n", gnu_get_libc_version ());

    std::string s = "item 1";

    const char *test = s.c_str();

    double d = strtod(test, 0);

    printf("%f\n", d);

    return 0;
}
------------------------------------
==14729== Memcheck, a memory error detector
==14729== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==14729== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==14729== Command: ./strtod
==14729== 
GLIBC: 2.15
==14729== Invalid read of size 8
==14729==    at 0x53D71BF: __GI___strncasecmp_l (strcmp.S:213)
==14729==    by 0x538973F: ____strtod_l_internal (strtod_l.c:574)
==14729==    by 0x4008BA: main (in /home/shockenhull/tmp/glibc_bugs/strtod)
==14729==  Address 0x5a03058 is 24 bytes inside a block of size 31 alloc'd
==14729==    at 0x4C2B1C7: operator new(unsigned long) (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==14729==    by 0x4ED0A88: std::string::_Rep::_S_create(unsigned long, unsigned
long, std::allocator<char> const&) (in
/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.16)
==14729==    by 0x4ED2494: char* std::string::_S_construct<char const*>(char
const*, char const*, std::allocator<char> const&, std::forward_iterator_tag)
(in /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.16)
==14729==    by 0x4ED25E2: std::basic_string<char, std::char_traits<char>,
std::allocator<char> >::basic_string(char const*, std::allocator<char> const&)
(in /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.16)
==14729==    by 0x40088D: main (in /home/shockenhull/tmp/glibc_bugs/strtod)
==14729== 
==14729== Invalid read of size 8
==14729==    at 0x53D71C7: __GI___strncasecmp_l (strcmp.S:215)
==14729==    by 0x538973F: ____strtod_l_internal (strtod_l.c:574)
==14729==    by 0x4008BA: main (in /home/shockenhull/tmp/glibc_bugs/strtod)
==14729==  Address 0x5a03060 is 1 bytes after a block of size 31 alloc'd
==14729==    at 0x4C2B1C7: operator new(unsigned long) (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==14729==    by 0x4ED0A88: std::string::_Rep::_S_create(unsigned long, unsigned
long, std::allocator<char> const&) (in
/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.16)
==14729==    by 0x4ED2494: char* std::string::_S_construct<char const*>(char
const*, char const*, std::allocator<char> const&, std::forward_iterator_tag)
(in /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.16)
==14729==    by 0x4ED25E2: std::basic_string<char, std::char_traits<char>,
std::allocator<char> >::basic_string(char const*, std::allocator<char> const&)
(in /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.16)
==14729==    by 0x40088D: main (in /home/shockenhull/tmp/glibc_bugs/strtod)
==14729== 
0.000000
==14729== 
==14729== HEAP SUMMARY:
==14729==     in use at exit: 0 bytes in 0 blocks
==14729==   total heap usage: 1 allocs, 1 frees, 31 bytes allocated
==14729== 
==14729== All heap blocks were freed -- no leaks are possible
==14729== 
==14729== For counts of detected and suppressed errors, rerun with: -v
==14729== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 2 from 2)

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.