From mboxrd@z Thu Jan  1 00:00:00 1970
X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/13965
Path: news.gmane.org!.POSTED.blaine.gmane.org!not-for-mail
From: Markus Wichmann <nullplan@gmx.net>
Newsgroups: gmane.linux.lib.musl.general
Subject: Re: segfault on sscanf
Date: Thu, 14 Mar 2019 17:28:14 +0100
Message-ID: <20190314162814.GI28106@voyager>
References: <20190314104617.711ac7d8@faultier2go>
Reply-To: musl@lists.openwall.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Injection-Info: blaine.gmane.org; posting-host="blaine.gmane.org:195.159.176.226";
	logging-data="242596"; mail-complaints-to="usenet@blaine.gmane.org"
User-Agent: Mutt/1.10.1 (2018-07-13)
To: musl@lists.openwall.com
Original-X-From: musl-return-13981-gllmg-musl=m.gmane.org@lists.openwall.com Thu Mar 14 17:28:35 2019
Return-path: <musl-return-13981-gllmg-musl=m.gmane.org@lists.openwall.com>
Envelope-to: gllmg-musl@m.gmane.org
Original-Received: from mother.openwall.net ([195.42.179.200])
	by blaine.gmane.org with smtp (Exim 4.89)
	(envelope-from <musl-return-13981-gllmg-musl=m.gmane.org@lists.openwall.com>)
	id 1h4TDe-0010yz-59
	for gllmg-musl@m.gmane.org; Thu, 14 Mar 2019 17:28:34 +0100
Original-Received: (qmail 9966 invoked by uid 550); 14 Mar 2019 16:28:31 -0000
Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:musl@lists.openwall.com>
List-Help: <mailto:musl-help@lists.openwall.com>
List-Unsubscribe: <mailto:musl-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:musl-subscribe@lists.openwall.com>
List-ID: <musl.lists.openwall.com>
Original-Received: (qmail 9948 invoked from network); 14 Mar 2019 16:28:31 -0000
Content-Disposition: inline
In-Reply-To: <20190314104617.711ac7d8@faultier2go>
X-Provags-ID: V03:K1:E5T6UtjZPM6WJO8k1LR/PlUHmOG3gnYtRJqt7SqG6mQDQee/I1Q
 0XjiOGeigp2dJVSt4tWOzt2IEyaaj2coCTU84ZvfvL9PX21zcVIZsMDVABw0J8YS8XZ+/uv
 oYTvnPreOWMR5J5rVabrB8c/1YpvQqxUKKapHnVdxM5TCVA/xpsDf5sk786PRrUSFgHJjfY
 5wiM/2pJ7bFc6ySJzv1rg==
X-UI-Out-Filterresults: notjunk:1;V03:K0:6ZMa9hYUw3Q=:VNWk6cueM3yP1aKzwL69/Z
 UqpKD0Mc52FCgJs16xNvuObDcxMcPyC3ROzFpJFHfpYdscOVV03TgAsppY4cLGFewsmr20T1s
 8z/2lsIY+gejBVf15ZmJNWUOQs+RTARJosxvJfQ/aB1c7TTywUGybyfIcRNG/45FzZw1C8tQy
 1qM6tGMkoIno98OGxLbTtwQAKmE5I8y4dKYaJ3XNK/TRCWdenzMTEuJgRtzKXrgmWT+2qvuTY
 tCyby0AFRN4iCOD+TKWamaGiuZ4U7fRDJoqhtO6gLocd9X1JphU4/05S00czVyEl3l6fzd1nT
 e+H7SBKKfJjMBPm5C+xa3eAifn48o7gtoZU0yWbTAuw+Aw7RpUkZeJETPS8BFCfrjtVvczy/y
 dsNggUMZMD67+AvlEBVDYTALnn/Cje1y8TScs3Sre6ZeaJ7i6sdLruEN9lNKZQLpsI+PoQ0bd
 Ke27OE9UukjmlPZ4krxYNLcjIeVh0iJteEOhsxNHG96nhmXa6cAAPn9N0+D7AzO1xpkRRog8h
 fW4A4EX14y9TEp77ZA+ofFSpkT0+ocG6t9UdxsGC/t50cseKJKdvbTrnRTRGERK299Atdvn65
 /sTy+K3g2BudC4OVLB5eTzrTW3+3RASgov5WWbs6JU9MhA03WcVw2jycFvAhYWjE5fNnpPU+d
 VvOgYDUxwuwcttDs/7AWkoSjD5kB6mJCHVfzACybGCyFZoEaY3qca1vNCGN3Or9vDNdmSNMou
 t9v9/MLA9yujNzwzXotIqe+74ojLjAiDtnM0ush7kxXi3OsZUfOFlH6WUH8TdPv07M72CcnI 
Xref: news.gmane.org gmane.linux.lib.musl.general:13965
Archived-At: <http://permalink.gmane.org/gmane.linux.lib.musl.general/13965>

On Thu, Mar 14, 2019 at 10:46:17AM +0100, Marian Buschsieweke wrote:
> Hi,
> 
> running pdflatex on Alpine Linux for a specific document resulted in a
> segfault, which I could trace down to a specific call to sscanf. This is a
> minimum example to reproduce that segfault:
> 
> 	#include <stdio.h>
> 	
> 	int main(void) {
> 		const char *too_parse = "0 1 -1 0";
> 		double f1,f2,f3,f4;
> 		char dummy;
> 		sscanf(too_parse, " %lf %lf %lf %lf %c", &f1, &f2, &f3, &f4, &dummy);
> 	
> 		printf("f1=%f, f2=%f, f3=%f, f4=%f, dummy=\"%c\"\n", f1, f2, f3, f4, dummy);
> 	
> 		return 0;
> 	}
> 
> This is the backtrace:
> 
> 	#0  0x00007ffff7fb7eba in vfscanf (f=f@entry=0x7fffffffe6f8, 
> 	    fmt=<optimized out>, ap=ap@entry=0x7fffffffe7f8) at src/stdio/vfscanf.c:262
> 	#1  0x00007ffff7fb971a in vsscanf (s=<optimized out>, fmt=<optimized out>, 
> 	    ap=ap@entry=0x7fffffffe7f8) at src/stdio/vsscanf.c:14
> 	#2  0x00007ffff7fb594d in sscanf (s=<optimized out>, fmt=<optimized out>)
> 	    at src/stdio/sscanf.c:9
> 	#3  0x0000555555555213 in main () at test.c:7
> 
> I have the package Alpine Linux package musl-1.1.21-r0 installed, which is musl
> version 1.1.21 with minimal changes.
> 
> Kind regards,
> Marian

OK, so here's the crashing line:

				while (scanset[(c=shgetc(f))+1])
					s[i++] = c;

It is (unsurprisingly) inside the %c parsing case. At the end of input,
shgetc() returns EOF, which is -1. EOF+1 is therefore 0. And scanset[0]
should be set to 0 (that happens a few lines further up). So the
crashing line should never occur (the line number of the crash is for
the loop body itself).

The error is reproducible whenever sscanf() runs out of input within a
%f conversion, and another conversion happens after it. I would not be
surprised if __floatscan() manages to set the file state wrong on EOF.

The above isn't actually minimal. Here's an even shorter segfault.

  #include <stdio.h>

        int main(void) {
                const char *too_parse = "0";
                double f1;
                char dummy;
                sscanf(too_parse, "%f%c", &f1, &dummy);

                printf("f1=%f, dummy=\"%c\"\n", f1, dummy);

                return 0;
        }

So, I'm off to read __floatscan(). As I recall, it was complicated, so
expect me back in about 10 years or so...

Ciao,
Markus