From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-3.3 required=5.0 tests=MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL autolearn=ham autolearn_force=no version=3.4.2 Received: (qmail 19863 invoked from network); 23 Apr 2020 16:14:51 -0000 Received: from mother.openwall.net (195.42.179.200) by inbox.vuxu.org with UTF8ESMTPZ; 23 Apr 2020 16:14:51 -0000 Received: (qmail 27760 invoked by uid 550); 23 Apr 2020 16:14:48 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: musl@lists.openwall.com Received: (qmail 27739 invoked from network); 23 Apr 2020 16:14:48 -0000 Date: Thu, 23 Apr 2020 12:14:35 -0400 From: Rich Felker To: musl@lists.openwall.com Message-ID: <20200423161435.GT11469@brightrain.aerifal.cx> References: <1587138997905.95619@trust-in-soft.com> <20200417161351.GH11469@brightrain.aerifal.cx> <20200417164807.GI11469@brightrain.aerifal.cx> <20200417175651.GK11469@brightrain.aerifal.cx> <1587641710830.20636@trust-in-soft.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="uJrvpPjGB3z5kYrA" Content-Disposition: inline In-Reply-To: <1587641710830.20636@trust-in-soft.com> User-Agent: Mutt/1.5.21 (2010-09-15) Subject: Re: [musl] Invalid pointer subtractions in __shlim and __shgetc --uJrvpPjGB3z5kYrA Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Thu, Apr 23, 2020 at 11:34:26AM +0000, Pascal Cuoq wrote: > Hello again, > > Rich Felker wrote: > > I think this patch may result in wrong error behavior on a trivial > > scanf that doesn't try to read anything. Instead it should be: > > > > if (!f->rpos) __toread(f); > > if (!f->rpos) goto input_fail; > > > > so that the error path is taken only on failure to enter read mode, > > not on EOF. > > This has indeed fixed the invalid comparisons that were observed > from the tests I mentioned earlier, but a different test still has > the same problem. > > As of commit 33338eb, the function wcstox does: > f.rpos = f.rend = 0; > f.buf = buf + 4; > > (https://git.musl-libc.org/cgit/musl/tree/src/stdlib/wcstol.c?id=33338ebc853d37c80f0f236cc7a92cb0acc6aace#n38 ) > > It then passes the address of this f to shlim (line 45), causing the > same invalid pointer subtraction f->buf - f->rpos that has already > been discussed in this thread. Thanks. The attached should fix it, I think. Rich --uJrvpPjGB3z5kYrA Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="wcstox.diff" diff --git a/src/stdlib/wcstod.c b/src/stdlib/wcstod.c index 26fe9af8..0be8c167 100644 --- a/src/stdlib/wcstod.c +++ b/src/stdlib/wcstod.c @@ -33,8 +33,7 @@ static long double wcstox(const wchar_t *s, wchar_t **p, int prec) unsigned char buf[64]; FILE f = {0}; f.flags = 0; - f.rpos = f.rend = 0; - f.buf = buf + 4; + f.rpos = f.rend = buf + 4; f.buf_size = sizeof buf - 4; f.lock = -1; f.read = do_read; diff --git a/src/stdlib/wcstol.c b/src/stdlib/wcstol.c index 4443f577..39a51269 100644 --- a/src/stdlib/wcstol.c +++ b/src/stdlib/wcstol.c @@ -35,8 +35,7 @@ static unsigned long long wcstox(const wchar_t *s, wchar_t **p, int base, unsign unsigned char buf[64]; FILE f = {0}; f.flags = 0; - f.rpos = f.rend = 0; - f.buf = buf + 4; + f.rpos = f.rend = buf + 4; f.buf_size = sizeof buf - 4; f.lock = -1; f.read = do_read; --uJrvpPjGB3z5kYrA--