This is the mail archive of the libc-alpha@sourceware.cygnus.com mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]

[martinea@IRO.UMontreal.CA] libc/1486: strsep access string beyond '\0'



We received the appended bug report.  I've rewritten the test for our
own test framework (patch is appended).  Tests 75, 77 and 80 fail now.

The documentation on strsep isn't totally clear to me.  What should
happen in this case:

  *one = '\0';
  cp = one;
  token = strsep(&cp, ",");
cp should be NULL and token also NULL?

Before I fix strsep, I'd like to know if my tests are ok.  Could
somebody please double check the four new test cases and tell me if
they're ok?

Thanks,
Andreas
 
1999-12-14  Andreas Jaeger  <aj@suse.de>

	* string/tester.c (test_strsep): More tests for access beyond
	the final NUL.  The first two tests come from PR libc/1486 by
	martinea@iro.umontreal.ca.

--- string/tester.c.~1~	Mon Oct  4 09:38:10 1999
+++ string/tester.c	Tue Dec 14 09:22:23 1999
@@ -901,6 +901,25 @@
   equal(strsep(&cp, "xy,"), "", 71);
   check(strsep(&cp, "x,y") == NULL, 72);
   check(strsep(&cp, ",xy") == NULL, 73);	/* Persistence. */
+
+  cp = strcpy(one, "ABC");
+  one[4] = ':';
+  equal(strsep(&cp, "C"), "AB", 74);	/* Access beyond NUL.  */
+  check(strsep(&cp, ":") == NULL, 75);
+
+  cp = strcpy(one, "ABC");
+  one[4] = ':';
+  equal(strsep(&cp, "CD"), "AB", 76);	/* Access beyond NUL.  */
+  check(strsep(&cp, ":.") == NULL, 77);
+
+  cp = strcpy(one, "ABC");		/* No token in string.  */
+  equal(strsep(&cp, ","), "ABC", 78);
+  check(cp == NULL, 79);
+
+  *one = '\0';				/* Empty string. */
+  cp = one;
+  check (strsep(&cp, ",") == NULL, 80);
+  check (cp == NULL, 81);
 }
 
 void




Topics:
   libc/1486: strsep access string beyond '\0'


----------------------------------------------------------------------

Date: Mon, 13 Dec 1999 13:06:56 -0500
From: martinea@IRO.UMontreal.CA
To: bugs@gnu.org
Subject: libc/1486: strsep access string beyond '\0'
Message-Id: <199912131806.NAA26849@delysid.gnu.org>


>Number:         1486
>Category:       libc
>Synopsis:       strsep access string beyond '\0'
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    libc-gnats
>State:          open
>Class:          sw-bug
>Submitter-Id:   unknown
>Arrival-Date:   Mon Dec 13 13:10:00 EST 1999
>Last-Modified:
>Originator:     martinea@IRO.UMontreal.CA
>Organization:
net
>Release:        2.1.1
>Environment:
Linux 2.2.12 i686 Redhat-6.0
>Description:
if **stringp == '\0' on a call to strsep, it will access beyond this '\0'
and will not set *stringp to NULL
>How-To-Repeat:
#include <stdio.h>
#include <string.h>

int main ()
{
  char buffer[80], *line, *token;

  line = buffer;

  strcpy(line,"ABC");
  line[strlen(line)+1] = ':';

  token = strsep(&line, "C");
  if(line != NULL) printf("%s\n",token);
       else printf("no token\n");
  token = strsep(&line, ":");
  if(line != NULL) printf("%s\n",token);
       else printf("no token\n");

  return 0;
}



The output of this program should be
AB
no token%0
>Fix:
>Audit-Trail:
>Unformatted:


------------------------------

End of forwardRoC57W Digest
***************************



-- 
 Andreas Jaeger
  SuSE Labs aj@suse.de
   private aj@arthur.rhein-neckar.de

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]