Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <07D34AED-17F5-4FCB-88F6-CB24D2A09A06@trust-in-soft.com>
Date: Thu, 14 Mar 2019 14:34:21 +0000
From: Pascal Cuoq <cuoq@...st-in-soft.com>
To: "musl@...ts.openwall.com" <musl@...ts.openwall.com>
CC: Natanael ncopa Copa <ncopa@...inelinux.org>, Marian Buschsieweke
	<marian.buschsieweke@...u.de>
Subject: Re: segfault on sscanf

Hello,

> On 14 Mar 2019, at 14:29, Szabolcs Nagy <nsz@...t70.net> wrote:
> 
> * A. Wilcox <awilfox@...lielinux.org> [2019-03-14 07:44:55 -0500]:
>> On Mar 14, 2019, at 4:46 AM, Marian Buschsieweke <marian.buschsieweke@...u.de> wrote:
>>> running pdflatex on Alpine Linux for a specific document resulted in a
>>> segfault, which I could trace down to a specific call to sscanf. This is a
>>> minimum example to reproduce that segfault:
>>> 
>>>   #include <stdio.h>
>>> 
>>>   int main(void) {
>>>       const char *too_parse = "0 1 -1 0";
>>>       double f1,f2,f3,f4;
>>>       char dummy;
>>>       sscanf(too_parse, " %lf %lf %lf %lf %c", &f1, &f2, &f3, &f4, &dummy);
>>> 
>>>       printf("f1=%f, f2=%f, f3=%f, f4=%f, dummy=\"%c\"\n", f1, f2, f3, f4, dummy);
>>> 
>>>       return 0;
>>>   }
>>> 
>> 
>> Hi Marian,
>> 
>> In your example you have four fields, but sscanf is looking for five. You have run off the end of the string. This is illegal/UB.  Is this intentional in your test case?
> 
> the example does not look undefined to me.
> 
>  7.21.6.7p3
>  The sscanf function returns the value of the macro EOF if an input
>  failure occurs before the first conversion (if any) has completed.
>  Otherwise, the sscanf function returns the number of input items
>  assigned, which can be fewer than provided for, or even zero, in
>  the event of an early matching failure.
> 
> invalid format specifier, invalid argument type or overflow during
> conversion would be undefined, but input parsing error is not.

Years of efforts have been poured in this quick online checker for UB in C snippets, and it doesn't think there's UB in the sscanf call, either:

https://taas.trust-in-soft.com/tsnippet/t/65161071

The call to printf is UB, because the variable dummy has been left uninitialized.

Pascal


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.