From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/12514 Path: news.gmane.org!.POSTED!not-for-mail From: Markus Wichmann Newsgroups: gmane.linux.lib.musl.general Subject: Re: fread() - possible division by zero Date: Wed, 14 Feb 2018 20:45:56 +0100 Message-ID: <20180214194556.axf6g3vhplkfysxo@voyager> References: Reply-To: musl@lists.openwall.com NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: blaine.gmane.org 1518637465 2382 195.159.176.226 (14 Feb 2018 19:44:25 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Wed, 14 Feb 2018 19:44:25 +0000 (UTC) User-Agent: NeoMutt/20170609 (1.8.3) To: musl@lists.openwall.com Original-X-From: musl-return-12531-gllmg-musl=m.gmane.org@lists.openwall.com Wed Feb 14 20:44:21 2018 Return-path: Envelope-to: gllmg-musl@m.gmane.org Original-Received: from mother.openwall.net ([195.42.179.200]) by blaine.gmane.org with smtp (Exim 4.84_2) (envelope-from ) id 1em2yM-0007nn-Cj for gllmg-musl@m.gmane.org; Wed, 14 Feb 2018 20:44:06 +0100 Original-Received: (qmail 9700 invoked by uid 550); 14 Feb 2018 19:46:09 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Original-Received: (qmail 9682 invoked from network); 14 Feb 2018 19:46:09 -0000 Content-Disposition: inline In-Reply-To: X-Provags-ID: V03:K0:SaBoblwuoZjSHXgQfwRKKb1gxnQ08cn7OlMfrUtuAjMflC0QtHg G3aM0M8qYGgdFZPW1MpGD4yKxk2McuqM9muO6YQL/q19A/kmqUT/q2Btl29rj/8UkyP1AgK q8ALY0DXjmDan7Vztigc9DWHekB7gC3r22Lp9Sln5gArrOgobaCDv2ROxLhEfsJjDzTmCON CJz6sI27vnrgVQK9j2k7A== X-UI-Out-Filterresults: notjunk:1;V01:K0:HL2CacyS5YI=:7hMiqDMB0tETLtCJkQLXu3 Gr9OPHQlQdVnT6/UpOGkSsb+XY6XVmd7oftt2kUygkHzWQGGvLK4PDdspyiIIaivp2skX616b wZP7ED+HDiEIaVI0toZ0qi1Q+fOV5nYhQLSWd2i0S9hGY6HFxCmFsDRfqqMiEHXWW+2bKgKGO vX1n2i2q3SAkJh5fupmp4QTFtygnQPOEe3BhWVTeCxr81nTtV1bF2nj8waNuRO1uK5xtSvB3H ZtdCrXY3tq/7KRr8og32S09+6baoQz71d/KV+R7xV++WEPOCcHVhAIe5Qo4tzhnj9MIdtpn3x SUuN7pljnLFPCtO+xXknZHxowHL3ZMKBLPDihFoP6pyiRQyFgdcGostHOi6AGeREiCCmcCU7E gk2iZO6RWPPVflBGPJxiopTBnHFgqDBCUF+NXCVczbqP/iPLZktkh69QI9aBheQzuuFHXCW4c PW06i+SVHBp7Rpm0fxu6e290/nu7jF9v0ZZ+FLMP4UjN6j9D5EZMRmcPW7H8X725bmxMv7gZt ksqM22WZOnhKTT5cwVA6NWxbZL78wd2vigat+RfvOjBKRRhbedbKY19AjDmfSfDPN62EbAT5G ihfyP4DqoeooroRopjXyn9arGvkJMdj2DdcRJxku5WB18gqLJxhOPa1FU2qTWUM7F6Rnf4Ir4 plW2cisciCc0dZ2J8KJuf9YQ/2/NT6atfqrsvTAKSh15ZV/VNQhirduWUBUzv7xFN7rXObZ8S sFmTpdkqDnVMOrcNCtm3kPBiJnhq5ZMBKwaRTh56VC7LmzdQUXCBLKeK2CDUE+JIT1awLNxc Xref: news.gmane.org gmane.linux.lib.musl.general:12514 Archived-At: On Wed, Feb 14, 2018 at 04:50:44PM -0200, Geraldo Netto wrote: > Dear Friends, > > It seems we may have the same division by zero issue on fread(): > > This is the original code: > > size_t fread(void *restrict destv, size_t size, size_t nmemb, FILE *restrict f) > { > unsigned char *dest = destv; > size_t len = size*nmemb, l = len, k; > if (!size) nmemb = 0; > > FLOCK(f); > > f->mode |= f->mode-1; > > if (f->rend - f->rpos > 0) { > /* First exhaust the buffer. */ > k = MIN(f->rend - f->rpos, l); > memcpy(dest, f->rpos, k); > f->rpos += k; > dest += k; > l -= k; > } > > /* Read the remainder directly */ > for (; l; l-=k, dest+=k) { > k = __toread(f) ? 0 : f->read(f, dest, l); > if (k+1<=1) { > FUNLOCK(f); > return (len-l)/size; > } > } > > FUNLOCK(f); > return nmemb; > } > > > > > It seems we need to check the variable size on return because if size is > zero > We'll have a division by zero and a segmentation fault > If size is zero, then l is zero. Even with a filled read buffer, that can't change since l is lower than all possible other unsigned values, thus k will be zero as well. So at the "for" loop, l will be zero, thus the loop will never be entered, thus the return statement is unreachable in this case. So again, no division will take place, least of all one by zero. Say, did you even test these cases? It would take all of five minutes to do, and belay your suspicions quicker than I can write these responses. HTH, Markus