Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <a0649adad5fc4c04b9616443ce18326a@S1688.EX1688.lan>
Date: Fri, 17 Jul 2015 18:28:00 +0000
From: Loïc Runarvot <loic.runarvot@...st-in-soft.com>
To: "musl@...ts.openwall.com" <musl@...ts.openwall.com>
Subject: Left-shift of negative number


According to the C11 standard, doing a left-shift on a negative integer is considered as an undefined behavior (6.5.7:4).

This undefined behavior occurs in files src/multibyte/internal.c and src/multibyte/internal.h.
At line 21 in the header (http://git.musl-libc.org/cgit/musl/tree/src/multibyte/internal.h?id=0f9c2666aca95eb98eb0ef4f4d8d1473c8ce3fa0#n21),
the implementation of the macro-definition R allow to have a negative value on the expression ((a == 0x80) ? 0x40-b : -a) << 23.

In fact, in the source file, at the line 11 (http://git.musl-libc.org/cgit/musl/tree/src/multibyte/internal.c?id=0f9c2666aca95eb98eb0ef4f4d8d1473c8ce3fa0#n11).
During the application of the macro-definition R(0x90, 0xc0), we have a != 0x90, so it's try to do (-0x90) << 23, which is an undefined behavior.

This bug was found in the context of the libc cross-testing project (a post blog has been written on this subject yesterday: http://trust-in-soft.com/the-libc-cross-testing-project)


Content of type "text/html" skipped

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.