This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug libc/18670] New: strcasestr and friends segfault

From: "glibc at beer dot org.uk" <sourceware-bugzilla at sourceware dot org>
To: glibc-bugs at sourceware dot org
Date: Tue, 14 Jul 2015 12:10:16 +0000
Subject: [Bug libc/18670] New: strcasestr and friends segfault
Auto-submitted: auto-generated

https://sourceware.org/bugzilla/show_bug.cgi?id=18670

            Bug ID: 18670
           Summary: strcasestr and friends segfault
           Product: glibc
           Version: 2.21
            Status: NEW
          Severity: critical
          Priority: P2
         Component: libc
          Assignee: unassigned at sourceware dot org
          Reporter: glibc at beer dot org.uk
                CC: drepper.fsp at gmail dot com
  Target Milestone: ---

strcasestr (and, I presume associated functions, although this is the only one
I've tested) segfault under certain conditions (I haven't explored the range of
arguments that make it segfault).

The following snippet shows the fault :-

---8<------8<------8<------8<------8<------8<------8<---

/* Test strcasestr() */

/* Make sure we get strcasestr() and friends */
#define _GNU_SOURCE

#include <string.h>
#include <stdio.h>

void main(void)
{
    char needle[] = "Above";
    char haystack[] = "Beyond";

    char *result = strcasestr(haystack, needle);
    printf("%s\n", result);
}

---8<------8<------8<------8<------8<------8<------8<---

This was built as follows :-

[vic@perridge glibc_test]$ gcc -g -o test -Wall test.c 
test.c:9:6: warning: return type of âmainâ is not âintâ [-Wmain]

[I'm ignoring the warning - I don't care that main is void]

When run, we get the following :-

[vic@perridge glibc_test]$ ./test 
Segmentation fault (core dumped)

Looking through the code (I've just done this with 2.21, although I first found
it on 2.14), we find the following in critical_factorization:-

  max_suffix = SIZE_MAX;
  j = 0;
  k = p = 1;
  while (j + k < needle_len)
    {
      a = CANON_ELEMENT (needle[j + k]);
      b = CANON_ELEMENT (needle[max_suffix + k]);

SIZE_MAX is defined as 18446744073709551615UL on my 64-bit system (confirmed
with "gcc -E"); I believe this comes from stdint.h. Needless to say, the
needle[max_suffix + k] dereference will segfault when it is this size. And it
does.

I note that the Debian repository has replaced this method with something much
simpler (that doesn't segfault).

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Follow-Ups:
- [Bug libc/18670] strcasestr and friends segfault
  - From: glibc at beer dot org.uk
- [Bug libc/18670] strcasestr and friends segfault
  - From: markus at trippelsdorf dot de
- [Bug libc/18670] strcasestr and friends segfault
  - From: glibc at beer dot org.uk

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]