From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-3.3 required=5.0 tests=MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL autolearn=ham autolearn_force=no version=3.4.2 Received: (qmail 19421 invoked from network); 23 Apr 2020 11:34:42 -0000 Received: from mother.openwall.net (195.42.179.200) by inbox.vuxu.org with UTF8ESMTPZ; 23 Apr 2020 11:34:42 -0000 Received: (qmail 30562 invoked by uid 550); 23 Apr 2020 11:34:39 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: musl@lists.openwall.com Received: (qmail 30535 invoked from network); 23 Apr 2020 11:34:39 -0000 From: Pascal Cuoq To: "musl@lists.openwall.com" Thread-Topic: [musl] Invalid pointer subtractions in __shlim and __shgetc Thread-Index: AQHWFNC0VEu0t//oAEethmur3WJvWah9WzWAgAAJk4CAABM0gIAJHPUi Date: Thu, 23 Apr 2020 11:34:26 +0000 Message-ID: <1587641710830.20636@trust-in-soft.com> References: <1587138997905.95619@trust-in-soft.com> <20200417161351.GH11469@brightrain.aerifal.cx> <20200417164807.GI11469@brightrain.aerifal.cx>,<20200417175651.GK11469@brightrain.aerifal.cx> In-Reply-To: <20200417175651.GK11469@brightrain.aerifal.cx> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [93.6.34.187] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: Re: [musl] Invalid pointer subtractions in __shlim and __shgetc Hello again,=0A= =0A= Rich Felker wrote:=0A= > I think this patch may result in wrong error behavior on a trivial=0A= > scanf that doesn't try to read anything. Instead it should be:=0A= >=0A= > if (!f->rpos) __toread(f);=0A= > if (!f->rpos) goto input_fail;=0A= >=0A= > so that the error path is taken only on failure to enter read mode,=0A= > not on EOF.=0A= =0A= This has indeed fixed the invalid comparisons that were observed=0A= from the tests I mentioned earlier, but a different test still has=0A= the same problem.=0A= =0A= As of commit 33338eb, the function wcstox does:=0A= f.rpos =3D f.rend =3D 0;=0A= f.buf =3D buf + 4;=0A= =0A= (https://git.musl-libc.org/cgit/musl/tree/src/stdlib/wcstol.c?id=3D33338ebc= 853d37c80f0f236cc7a92cb0acc6aace#n38 )=0A= =0A= It then passes the address of this f to shlim (line 45), causing the same i= nvalid pointer subtraction f->buf - f->rpos that has already been discussed= in this thread.=0A= =0A= Best regards,=0A= =0A= Pascal=0A=