This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug glob/20707] New: gl_pathv entries not set to NULL with GLOB_DOOFFS
- From: "mike at php dot net" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Mon, 17 Oct 2016 19:10:22 +0000
- Subject: [Bug glob/20707] New: gl_pathv entries not set to NULL with GLOB_DOOFFS
- Auto-submitted: auto-generated
https://sourceware.org/bugzilla/show_bug.cgi?id=20707
Bug ID: 20707
Summary: gl_pathv entries not set to NULL with GLOB_DOOFFS
Product: glibc
Version: 2.24
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: glob
Assignee: unassigned at sourceware dot org
Reporter: mike at php dot net
Target Milestone: ---
Created attachment 9568
--> https://sourceware.org/bugzilla/attachment.cgi?id=9568&action=edit
test program
When calling `glob(pattern, GLOB_DOOFFS, NULL, &gl)` where `gl.gl_offs>0`,
program flow does not ensure that `gl.gl_pathv[0..gl_offs]` entries are
actually set to NULL, while POSIX as well as Linux man pages say that the
reserved slots contain NULL pointers.
Allocation of gl_pathv does actually happen at [1] with an `realloc(NULL)` not
at [2] where initialization of `gl_pathv[0..gl_offs]` happens.
I made this observation by accident, noticing that a random count of reserved
elements of `gl_pathv` point to random addresses.
The attached test program crashes using address sanitizer, to be built with
`-fsanitize=address -lasan`.
Thanks for your time.
[1]
https://sourceware.org/git/?p=glibc.git;a=blob;f=posix/glob.c;h=ea4b0b61eb17fd38a7dc379e018e1b92abdf29a9;hb=fdfc9260b61d3d72541f18104d24c7bcb0ce5ca2#l1007
[2]
https://sourceware.org/git/?p=glibc.git;a=blob;f=posix/glob.c;h=ea4b0b61eb17fd38a7dc379e018e1b92abdf29a9;hb=fdfc9260b61d3d72541f18104d24c7bcb0ce5ca2#l478
--
You are receiving this mail because:
You are on the CC list for the bug.