bug-glibc
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

glibc 2.2.2 strtok() segfault


From: Andrew Church
Subject: glibc 2.2.2 strtok() segfault
Date: Wed, 21 Feb 2001 17:00:51 JST

     There is a bug in strtok() on the i686 platform, and possibly
others, which will cause a segmentation fault under limited conditions.
The following program demonstrates this bug:

---------------------------
#include <string.h>
int main() {
    char buf[1] = {0};
    char *s1, *s2;
    s1 = strtok(buf, " ");
    s2 = strtok(NULL, " "); // segfault here
    return 0;
}
---------------------------

     The bug occurs because strtok()'s internal saved string pointer
(save_ptr in sysdeps/i386/i686/strtok.S) is initialized to NULL at
program start time, and is not updated after the first strtok() call
(which returns NULL), so that the NULL in the second call causes this
pointer to be used and a NULL dereference to occur.

     I do realize that calling strtok() with NULL after a NULL result
could be considered improper practice, depending on how strtok() is
defined in the standards (my man page doesn't say anything about the
behavior of strtok() after a NULL result), but this is the first time
I have seen a libc that crashes in such a circumstance, and I think
that at least minimal robustness is appropriate here.

  --Andrew Church
    address@hidden | New address - please note.
    http://achurch.org/ | $B%a!<%k%"%I%l%9$,JQ$o$j$^$7$?!#(B



reply via email to

[Prev in Thread] Current Thread [Next in Thread]