Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 24 Apr 2020 09:40:15 +0000
From: Pascal Cuoq <>
To: "" <>
Subject: Re: Invalid pointer subtractions in __shlim and __shgetc


Rich Felker <> wrote:
> The attached should fix it, I think.

The patch sets f.rpos and f.rend to buf+4, but it also leaves
f.buf containing 0 from “FILE f = {0};”:
--- a/src/stdlib/wcstol.c
+++ b/src/stdlib/wcstol.c
@@ -35,8 +35,7 @@ static unsigned long long wcstox(const wchar_t *s, wchar_t **p, int base, unsign
 	unsigned char buf[64];
 	FILE f = {0};
 	f.flags = 0;
-	f.rpos = f.rend = 0;
-	f.buf = buf + 4;
+	f.rpos = f.rend = buf + 4;
 	f.buf_size = sizeof buf - 4;
 	f.lock = -1; = do_read;

Unfortunately, the function __shlim also subtracts f.rpos from f.buf, at this line:

  f->shcnt = f->buf - f->rpos;

( )

So that is now where the invalid subtraction happens.

For what it's worth, we have tested the patch consisting in
initializing all three of f.rpos, f.rend and f.buf to buf+4, and that
does not cause UB in this test. But we can't tell if if provides the
correct functional behavior for this test and for other inputs.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.