From mboxrd@z Thu Jan  1 00:00:00 1970
X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/521
Path: news.gmane.org!not-for-mail
From: Pascal Cuoq <pascal.cuoq@gmail.com>
Newsgroups: gmane.linux.lib.musl.general
Subject: Re: Undefined behavior in atoi()
Date: Sun, 6 Nov 2011 23:28:41 +0100
Message-ID: <CAOH62Ji7utffebihNd+UCgVurF+O2fSPSR3oeQJ3GRsS3Kf4zw@mail.gmail.com>
References: <CAOH62JjfMW366hJzT=UKRPnmwq_mqmYOhFyvkGaRn0n30Sdj=w@mail.gmail.com>
	<20111106212145.GO132@brightrain.aerifal.cx>
Reply-To: musl@lists.openwall.com
NNTP-Posting-Host: lo.gmane.org
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary=f46d0444e945d6f24504b1187528
X-Trace: dough.gmane.org 1320618538 14617 80.91.229.12 (6 Nov 2011 22:28:58 GMT)
X-Complaints-To: usenet@dough.gmane.org
NNTP-Posting-Date: Sun, 6 Nov 2011 22:28:58 +0000 (UTC)
To: musl@lists.openwall.com
Original-X-From: musl-return-522-gllmg-musl=m.gmane.org@lists.openwall.com Sun Nov 06 23:28:54 2011
Return-path: <musl-return-522-gllmg-musl=m.gmane.org@lists.openwall.com>
Envelope-to: gllmg-musl@lo.gmane.org
Original-Received: from mother.openwall.net ([195.42.179.200])
	by lo.gmane.org with smtp (Exim 4.69)
	(envelope-from <musl-return-522-gllmg-musl=m.gmane.org@lists.openwall.com>)
	id 1RNBCw-0004Km-Hq
	for gllmg-musl@lo.gmane.org; Sun, 06 Nov 2011 23:28:54 +0100
Original-Received: (qmail 3790 invoked by uid 550); 6 Nov 2011 22:28:54 -0000
Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:musl@lists.openwall.com>
List-Help: <mailto:musl-help@lists.openwall.com>
List-Unsubscribe: <mailto:musl-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:musl-subscribe@lists.openwall.com>
Original-Received: (qmail 3782 invoked from network); 6 Nov 2011 22:28:53 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :content-type;
        bh=zFfyN0wfHXoRutm8i47NPVL2PS+Fzq3LvWQQ1QvB5rM=;
        b=F5D8fT7vPO8yrdeAb5ML5yvgzgniOFE/HRej41WKcEf20Yj7VUjm5rlN+AGJB51Mv0
         QFsiU+K6MADN5vF94PDSJAG6/5ak5yK1+lKkPF2IPp6YQSiYyQbbdLxwHgk5jLq6Z3Ir
         Lj3dg+OeTKDMIsm/N6hfTwS9GwpzPoURnDw2c=
In-Reply-To: <20111106212145.GO132@brightrain.aerifal.cx>
Xref: news.gmane.org gmane.linux.lib.musl.general:521
Archived-At: <http://permalink.gmane.org/gmane.linux.lib.musl.general/521>

--f46d0444e945d6f24504b1187528
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On Sun, Nov 6, 2011 at 10:21 PM, Rich Felker <dalias@aerifal.cx> wrote:

>
> Thanks. How did you manage to find this bug? Just browsing source?
>

I was looking at implementations for strtod() (long story for another time)
and I noticed that this library was the most pleasant C code I had
seen in months (seriously), so I lingered a bit. So, the straightforward
answer is "yes, code review".

The slightly longer answer is that I have done the formal verification of
"string to number" C functions in the past, found that they were correct,
noticed the opposite trick, and somehow the relationship
between the two clicked. So I was looking for a classic pitfall here.

Since my previous e-mail, I have been analyzing a few more cases for fun,
and musl's original code also has this issue for the 40 or so values
below LONG_MAX.

The problem is then:

src/stdlib/atol.orig.c:14:[kernel] warning: Signed overflow.
                  assert (long)((long)10*n)+(long)*tmp_0 =E2=89=A4
9223372036854775807LL;

That is, you should in any case subtract '0' from the digit before adding
it in
at line 14. In the case of atoll() on IA32, it will even be more efficient.

Pascal

--f46d0444e945d6f24504b1187528
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On Sun, Nov 6, 2011 at 10:21 PM, Rich Felker <span dir=3D"ltr">&lt;<a href=
=3D"mailto:dalias@aerifal.cx">dalias@aerifal.cx</a>&gt;</span> wrote:<br><d=
iv class=3D"gmail_quote"><blockquote class=3D"gmail_quote" style=3D"margin:=
0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class=3D"im"><br>
</div>Thanks. How did you manage to find this bug? Just browsing source?<br=
></blockquote><div><br></div><div>I was looking at implementations for strt=
od() (long story for another time)</div><div>and I noticed that this librar=
y was the most pleasant C code I had</div>
<div>seen in months (seriously), so I lingered a bit. So, the straightforwa=
rd</div><div>answer is &quot;yes, code review&quot;.</div><div><br></div><d=
iv>The slightly longer answer is that I have done the formal verification o=
f</div>
<div>&quot;string to number&quot; C functions in the past, found that they =
were correct,</div><div>noticed the opposite trick, and somehow the relatio=
nship</div><div>between the two clicked.=C2=A0So I was looking for a classi=
c pitfall here.</div>
<div><br></div><div>Since my previous e-mail, I have been analyzing a few m=
ore cases for fun,</div><div>and musl&#39;s original code also has this iss=
ue for the 40 or so values</div><div>below LONG_MAX.</div><div><br></div>
<div>The problem is then:</div><div><br></div><div><div>src/stdlib/atol.ori=
g.c:14:[kernel] warning: Signed overflow.</div><div>=C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 assert (long)((long)10*n)+(long)*=
tmp_0 =E2=89=A4 9223372036854775807LL;</div></div><div>
<br></div><div>That is, you should in any case subtract &#39;0&#39; from th=
e digit before adding it in</div><div>at line 14.=C2=A0In the case of atoll=
() on IA32, it will even be more efficient.</div><div><br></div><div>Pascal=
</div>
<div><br></div><div><br></div></div>

--f46d0444e945d6f24504b1187528--