[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1587721262422.2983@trust-in-soft.com>
Date: Fri, 24 Apr 2020 09:40:15 +0000
From: Pascal Cuoq <cuoq@...st-in-soft.com>
To: "musl@...ts.openwall.com" <musl@...ts.openwall.com>
Subject: Re: Invalid pointer subtractions in __shlim and __shgetc
Hello,
Rich Felker <dalias@...c.org> wrote:
> The attached should fix it, I think.
The patch sets f.rpos and f.rend to buf+4, but it also leaves
f.buf containing 0 from “FILE f = {0};”:
--- a/src/stdlib/wcstol.c
+++ b/src/stdlib/wcstol.c
@@ -35,8 +35,7 @@ static unsigned long long wcstox(const wchar_t *s, wchar_t **p, int base, unsign
unsigned char buf[64];
FILE f = {0};
f.flags = 0;
- f.rpos = f.rend = 0;
- f.buf = buf + 4;
+ f.rpos = f.rend = buf + 4;
f.buf_size = sizeof buf - 4;
f.lock = -1;
f.read = do_read;
Unfortunately, the function __shlim also subtracts f.rpos from f.buf, at this line:
f->shcnt = f->buf - f->rpos;
(https://git.musl-libc.org/cgit/musl/tree/src/internal/shgetc.c?id=33338ebc853d37c80f0f236cc7a92cb0acc6aace#n11 )
So that is now where the invalid subtraction happens.
For what it's worth, we have tested the patch consisting in
initializing all three of f.rpos, f.rend and f.buf to buf+4, and that
does not cause UB in this test. But we can't tell if if provides the
correct functional behavior for this test and for other inputs.
Pascal
Powered by blists - more mailing lists
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
