* wcsncpy bug
@ 2011-05-23 1:25 Szabolcs Nagy
2011-05-23 1:51 ` Rich Felker
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Szabolcs Nagy @ 2011-05-23 1:25 UTC (permalink / raw)
To: musl
[-- Attachment #1: Type: text/plain, Size: 102 bytes --]
wcsncpy(d,s,n) did not decrease n while copying the '\0'
so when s[0]=0 and n=1 it wrote 2 zeros to d
[-- Attachment #2: wcsncpy.diff --]
[-- Type: text/x-diff, Size: 337 bytes --]
diff --git a/src/string/wcsncpy.c b/src/string/wcsncpy.c
index 0164208..fbd0631 100644
--- a/src/string/wcsncpy.c
+++ b/src/string/wcsncpy.c
@@ -3,7 +3,7 @@
wchar_t *wcsncpy(wchar_t *d, const wchar_t *s, size_t n)
{
wchar_t *a = d;
- while (n && (*d++ = *s++)) n--;
+ while (n-- && (*d++ = *s++));
wmemset(d, 0, n);
return a;
}
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: wcsncpy bug
2011-05-23 1:25 wcsncpy bug Szabolcs Nagy
@ 2011-05-23 1:51 ` Rich Felker
2011-05-23 2:00 ` Rich Felker
2011-05-23 2:10 ` Szabolcs Nagy
2 siblings, 0 replies; 5+ messages in thread
From: Rich Felker @ 2011-05-23 1:51 UTC (permalink / raw)
To: musl
On Mon, May 23, 2011 at 03:25:47AM +0200, Szabolcs Nagy wrote:
> wcsncpy(d,s,n) did not decrease n while copying the '\0'
> so when s[0]=0 and n=1 it wrote 2 zeros to d
> diff --git a/src/string/wcsncpy.c b/src/string/wcsncpy.c
> index 0164208..fbd0631 100644
> --- a/src/string/wcsncpy.c
> +++ b/src/string/wcsncpy.c
> @@ -3,7 +3,7 @@
> wchar_t *wcsncpy(wchar_t *d, const wchar_t *s, size_t n)
> {
> wchar_t *a = d;
> - while (n && (*d++ = *s++)) n--;
> + while (n-- && (*d++ = *s++));
> wmemset(d, 0, n);
Yes it was broken but this patch is too. It will now clobber all
memory if the source string does not contain a null terminator, since
the final value of n after the while loop will be (size_t)-1.
Thanks for catching this bug tho. I'll fix it.
Rich
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: wcsncpy bug
2011-05-23 1:25 wcsncpy bug Szabolcs Nagy
2011-05-23 1:51 ` Rich Felker
@ 2011-05-23 2:00 ` Rich Felker
2011-05-23 2:16 ` Szabolcs Nagy
2011-05-23 2:10 ` Szabolcs Nagy
2 siblings, 1 reply; 5+ messages in thread
From: Rich Felker @ 2011-05-23 2:00 UTC (permalink / raw)
To: musl
On Mon, May 23, 2011 at 03:25:47AM +0200, Szabolcs Nagy wrote:
> wcsncpy(d,s,n) did not decrease n while copying the '\0'
> so when s[0]=0 and n=1 it wrote 2 zeros to d
I believe I have fixed this bug, and similar bugs in strncat and
wcsncat. Please let me know if they still have problems.
Rich
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: wcsncpy bug
2011-05-23 1:25 wcsncpy bug Szabolcs Nagy
2011-05-23 1:51 ` Rich Felker
2011-05-23 2:00 ` Rich Felker
@ 2011-05-23 2:10 ` Szabolcs Nagy
2 siblings, 0 replies; 5+ messages in thread
From: Szabolcs Nagy @ 2011-05-23 2:10 UTC (permalink / raw)
To: musl
* Szabolcs Nagy <nsz@port70.net> [2011-05-23 03:25:47 +0200]:
> wchar_t *wcsncpy(wchar_t *d, const wchar_t *s, size_t n)
> {
> wchar_t *a = d;
> - while (n && (*d++ = *s++)) n--;
> + while (n-- && (*d++ = *s++));
hm this code is not ok if n underflows here..
> wmemset(d, 0, n);
> return a;
> }
let me try again..
maybe you can figure out a nicer one
wchar_t *wcsncpy(wchar_t *d, const wchar_t *s, size_t n)
{
wchar_t *a = d;
while (n && *s) {
*d++ = *s++;
n--;
}
wmemset(d, 0, n);
return a;
}
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: wcsncpy bug
2011-05-23 2:00 ` Rich Felker
@ 2011-05-23 2:16 ` Szabolcs Nagy
0 siblings, 0 replies; 5+ messages in thread
From: Szabolcs Nagy @ 2011-05-23 2:16 UTC (permalink / raw)
To: musl
* Rich Felker <dalias@aerifal.cx> [2011-05-22 22:00:55 -0400]:
> I believe I have fixed this bug, and similar bugs in strncat and
> wcsncat. Please let me know if they still have problems.
yes, these look better
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2011-05-23 2:16 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-05-23 1:25 wcsncpy bug Szabolcs Nagy
2011-05-23 1:51 ` Rich Felker
2011-05-23 2:00 ` Rich Felker
2011-05-23 2:16 ` Szabolcs Nagy
2011-05-23 2:10 ` Szabolcs Nagy
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/musl/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).