From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-3.4 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FROM,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED, RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 25358 invoked from network); 10 Jul 2021 17:18:21 -0000 Received: from mother.openwall.net (195.42.179.200) by inbox.vuxu.org with ESMTPUTF8; 10 Jul 2021 17:18:21 -0000 Received: (qmail 10056 invoked by uid 550); 10 Jul 2021 17:18:19 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: musl@lists.openwall.com Received: (qmail 10038 invoked from network); 10 Jul 2021 17:18:18 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=yTUL6mrVRohX1DR/P3rV/Otw4sy9tfGqWR1r6eQk5mA=; b=rkzHAlleVdMEO1+TKE+XZJzAO+au73Yi/qhP3XTpRGk7/X9EM7WEHVFkFMtmaIo6jD NBgs9S2qAlH2emNsxdMdATy/DOlNgK4ysxOZOctnWN6wlROavKhENQwL6xQbExtQB9vR aNnOqAxmOmZEQvuak2M1lJwDLumo31CJNAnmeKsl6Aa4Y25KEuH2pK1Q+CA23d6RLPiW 5A3xo7heexnyswunjugai+MO84XZ8lG6OtIAZxmPzRa03sOsQ2T7ha0XOmnpAmb65ERF 2bj/KtMgYRtl0+EVV85LrORffqdDHdikrHso74DKgs+FKRhN4Cd67v6VUNuEwWoNh8oG NGoQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=yTUL6mrVRohX1DR/P3rV/Otw4sy9tfGqWR1r6eQk5mA=; b=g5t0TsRgzvtYEot2Kx8NjBQgcTeLPyiFXZLMNG6bcbL0eYwACHz1PaEogsK/ZV9DGv jIIQ3w4zpCb1YlXLJ2qeTGq2mPy6LL7tcx4cECnFPne7crANQtxarMsCjUWM3N07owAK yqYvFg4e9vCWSGjtfg+BoIKnVA9/FwHAkPe7gfef9FnVAhIN26SWMp09umg7rHffV3It PSY71L1T+JWk8LIuo/JPXHF9R2quK3TH0yQzL6SnSO4ftyAU1E9u82QFpKgwVwrHRt00 l2Qub7g3JI7pL8tiFP/gAoZt1FHrTm/0c/07n4AH30/uWAmyduTNNp2z0GwpVDVU9QZa zwnQ== X-Gm-Message-State: AOAM533InJ515xed+OVAFbLv+4UHH+e/HlC708oCGqh0miHvNRIkp6aF dbg7LPsahXafdHvbStCTMDrvxdroYgmAtYX5U7mWvYdJQ4w= X-Google-Smtp-Source: ABdhPJwyAGgZpj6TEiCWUI4Q5qiO7OX2uBfa2lzleUC4CCuGpAKQcZNbkjPzAKIm5NPj4u30NWbVgG2dCWc0vw+hWS0= X-Received: by 2002:a2e:7f0c:: with SMTP id a12mr8181420ljd.378.1625937487220; Sat, 10 Jul 2021 10:18:07 -0700 (PDT) MIME-Version: 1.0 References: <20210710131026.AE6BD22201B9@gateway02.insomnia247.nl> <20210710165050.GU13220@brightrain.aerifal.cx> In-Reply-To: From: David Edelsohn Date: Sat, 10 Jul 2021 13:17:54 -0400 Message-ID: To: musl@lists.openwall.com Cc: jason Content-Type: text/plain; charset="UTF-8" Subject: Re: [musl] Bug in src/stdio/fread.c On Sat, Jul 10, 2021 at 1:13 PM David Edelsohn wrote: > > On Sat, Jul 10, 2021 at 12:51 PM Rich Felker wrote: > > > > On Sat, Jul 10, 2021 at 03:10:26PM +0200, jason wrote: > > > If you look at the code: > > > > > > size_t fread(void *restrict destv, size_t size, size_t nmemb, FILE *restrict f) > > > { > > > unsigned char *dest = destv; > > k declared but not initialized. > > > > size_t len = size*nmemb, l = len, k; > > > if (!size) nmemb = 0; > > > > > > FLOCK(f); > > > > > > f->mode |= f->mode-1; > > > > > > if (f->rpos != f->rend) { > > > /* First exhaust the buffer. */ > > k set to value. > > > > k = MIN(f->rend - f->rpos, l); > > > memcpy(dest, f->rpos, k); > > > f->rpos += k; > > > dest += k; > > > l -= k; > > > } > > > > > > /* Read the remainder directly */ > > USE of k. If f->rpos == f->rend, k was never set before use for the > first iteration of the loop. > > > > for (; l; l-=k, dest+=k) { > > > k = __toread(f) ? 0 : f->read(f, dest, l); > > > if (!k) { > > > FUNLOCK(f); > > > return (len-l)/size; > > > } > > > } > > > > > > FUNLOCK(f); > > > return nmemb; > > > } > > > > > > Consider what happens when f->rpos == f->rend: k is used uninitialized. > > > > At which line? Sorry, my mistake, k will be set in the loop before the iteration expression is evaluated. - David