This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug libc/18670] New: strcasestr and friends segfault
- From: "glibc at beer dot org.uk" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Tue, 14 Jul 2015 12:10:16 +0000
- Subject: [Bug libc/18670] New: strcasestr and friends segfault
- Auto-submitted: auto-generated
https://sourceware.org/bugzilla/show_bug.cgi?id=18670
Bug ID: 18670
Summary: strcasestr and friends segfault
Product: glibc
Version: 2.21
Status: NEW
Severity: critical
Priority: P2
Component: libc
Assignee: unassigned at sourceware dot org
Reporter: glibc at beer dot org.uk
CC: drepper.fsp at gmail dot com
Target Milestone: ---
strcasestr (and, I presume associated functions, although this is the only one
I've tested) segfault under certain conditions (I haven't explored the range of
arguments that make it segfault).
The following snippet shows the fault :-
---8<------8<------8<------8<------8<------8<------8<---
/* Test strcasestr() */
/* Make sure we get strcasestr() and friends */
#define _GNU_SOURCE
#include <string.h>
#include <stdio.h>
void main(void)
{
char needle[] = "Above";
char haystack[] = "Beyond";
char *result = strcasestr(haystack, needle);
printf("%s\n", result);
}
---8<------8<------8<------8<------8<------8<------8<---
This was built as follows :-
[vic@perridge glibc_test]$ gcc -g -o test -Wall test.c
test.c:9:6: warning: return type of âmainâ is not âintâ [-Wmain]
[I'm ignoring the warning - I don't care that main is void]
When run, we get the following :-
[vic@perridge glibc_test]$ ./test
Segmentation fault (core dumped)
Looking through the code (I've just done this with 2.21, although I first found
it on 2.14), we find the following in critical_factorization:-
max_suffix = SIZE_MAX;
j = 0;
k = p = 1;
while (j + k < needle_len)
{
a = CANON_ELEMENT (needle[j + k]);
b = CANON_ELEMENT (needle[max_suffix + k]);
SIZE_MAX is defined as 18446744073709551615UL on my 64-bit system (confirmed
with "gcc -E"); I believe this comes from stdint.h. Needless to say, the
needle[max_suffix + k] dereference will segfault when it is this size. And it
does.
I note that the Debian repository has replaced this method with something much
simpler (that doesn't segfault).
--
You are receiving this mail because:
You are on the CC list for the bug.