This is the mail archive of the
libc-alpha@sourceware.cygnus.com
mailing list for the glibc project.
[martinea@IRO.UMontreal.CA] libc/1486: strsep access string beyond '\0'
- To: "GNU C. library Alpha Tester List" <libc-alpha at sourceware dot cygnus dot com>, martinea at iro dot umontreal dot ca
- Subject: [martinea@IRO.UMontreal.CA] libc/1486: strsep access string beyond '\0'
- From: Andreas Jaeger <aj at suse dot de>
- Date: 14 Dec 1999 09:25:12 +0100
We received the appended bug report. I've rewritten the test for our
own test framework (patch is appended). Tests 75, 77 and 80 fail now.
The documentation on strsep isn't totally clear to me. What should
happen in this case:
*one = '\0';
cp = one;
token = strsep(&cp, ",");
cp should be NULL and token also NULL?
Before I fix strsep, I'd like to know if my tests are ok. Could
somebody please double check the four new test cases and tell me if
they're ok?
Thanks,
Andreas
1999-12-14 Andreas Jaeger <aj@suse.de>
* string/tester.c (test_strsep): More tests for access beyond
the final NUL. The first two tests come from PR libc/1486 by
martinea@iro.umontreal.ca.
--- string/tester.c.~1~ Mon Oct 4 09:38:10 1999
+++ string/tester.c Tue Dec 14 09:22:23 1999
@@ -901,6 +901,25 @@
equal(strsep(&cp, "xy,"), "", 71);
check(strsep(&cp, "x,y") == NULL, 72);
check(strsep(&cp, ",xy") == NULL, 73); /* Persistence. */
+
+ cp = strcpy(one, "ABC");
+ one[4] = ':';
+ equal(strsep(&cp, "C"), "AB", 74); /* Access beyond NUL. */
+ check(strsep(&cp, ":") == NULL, 75);
+
+ cp = strcpy(one, "ABC");
+ one[4] = ':';
+ equal(strsep(&cp, "CD"), "AB", 76); /* Access beyond NUL. */
+ check(strsep(&cp, ":.") == NULL, 77);
+
+ cp = strcpy(one, "ABC"); /* No token in string. */
+ equal(strsep(&cp, ","), "ABC", 78);
+ check(cp == NULL, 79);
+
+ *one = '\0'; /* Empty string. */
+ cp = one;
+ check (strsep(&cp, ",") == NULL, 80);
+ check (cp == NULL, 81);
}
void
- Subject: libc/1486: strsep access string beyond '\0'
- From: martinea at IRO dot UMontreal dot CA
- Date: Tue Dec 14 08:59:57 1999
Topics:
libc/1486: strsep access string beyond '\0'
----------------------------------------------------------------------
Date: Mon, 13 Dec 1999 13:06:56 -0500
From: martinea@IRO.UMontreal.CA
To: bugs@gnu.org
Subject: libc/1486: strsep access string beyond '\0'
Message-Id: <199912131806.NAA26849@delysid.gnu.org>
>Number: 1486
>Category: libc
>Synopsis: strsep access string beyond '\0'
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: libc-gnats
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Mon Dec 13 13:10:00 EST 1999
>Last-Modified:
>Originator: martinea@IRO.UMontreal.CA
>Organization:
net
>Release: 2.1.1
>Environment:
Linux 2.2.12 i686 Redhat-6.0
>Description:
if **stringp == '\0' on a call to strsep, it will access beyond this '\0'
and will not set *stringp to NULL
>How-To-Repeat:
#include <stdio.h>
#include <string.h>
int main ()
{
char buffer[80], *line, *token;
line = buffer;
strcpy(line,"ABC");
line[strlen(line)+1] = ':';
token = strsep(&line, "C");
if(line != NULL) printf("%s\n",token);
else printf("no token\n");
token = strsep(&line, ":");
if(line != NULL) printf("%s\n",token);
else printf("no token\n");
return 0;
}
The output of this program should be
AB
no token%0
>Fix:
>Audit-Trail:
>Unformatted:
------------------------------
End of forwardRoC57W Digest
***************************
--
Andreas Jaeger
SuSE Labs aj@suse.de
private aj@arthur.rhein-neckar.de