This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug string/19414] New: mbsrtowcs and wcsrtombs: UB and fail with large len
- From: "cherepan at mccme dot ru" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Mon, 28 Dec 2015 19:28:27 +0000
- Subject: [Bug string/19414] New: mbsrtowcs and wcsrtombs: UB and fail with large len
- Auto-submitted: auto-generated
https://sourceware.org/bugzilla/show_bug.cgi?id=19414
Bug ID: 19414
Summary: mbsrtowcs and wcsrtombs: UB and fail with large len
Product: glibc
Version: 2.22
Status: NEW
Severity: normal
Priority: P2
Component: string
Assignee: unassigned at sourceware dot org
Reporter: cherepan at mccme dot ru
Target Milestone: ---
Created attachment 8867
--> https://sourceware.org/bugzilla/attachment.cgi?id=8867&action=edit
mbsrtowcs and wcsrtombs fail with len=SIZE_MAX
The len argument of the mbsrtowcs and wcsrtombs functions limits the number of
elements stored into the destination array but it could be greater than the
size of the array. Hence additions in the following codes fragments are invalid
C (exhibit UB):
https://sourceware.org/git/?p=glibc.git;a=blob;f=wcsmbs/mbsrtowcs_l.c;h=d71934117d4e8aa894aa8d5f33ba2c308a7bf3d6;hb=HEAD#l107
107 data.__outbuf = (unsigned char *) dst;
108 data.__outbufend = data.__outbuf + len * sizeof (wchar_t);
https://sourceware.org/git/?p=glibc.git;a=blob;f=wcsmbs/wcsrtombs.c;h=ae303683383c3116a695bd0269c836a4f92c4cb9;hb=HEAD#l107
107 data.__outbuf = (unsigned char *) dst;
108 data.__outbufend = (unsigned char *) dst + len;
The functions also return wrong results wrongly return 0 when called with large
len, e.g., with len=SIZE_MAX. The attached program prints "0 0" instead of "2
2".
Please note that fixing only wrong result is not enough, the root problem is
invalid pointer arithmetic. See pr19411 for comparison.
--
You are receiving this mail because:
You are on the CC list for the bug.