[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Integer overflows in memchr
From: |
Bruno Haible |
Subject: |
Re: Integer overflows in memchr |
Date: |
Wed, 26 Jun 2024 13:57:25 +0200 |
Po Lu wrote:
> I believe that the semantics of the POSIX specification of this GNU
> function omit the implied guarantee that strnlen will never examine
> bytes beyond the first null byte
There is no such guarantee, not even implied.
> , made in (libc)String Length:
>
> If the array S of size MAXLEN contains a null byte, the ‘strnlen’
^^^^^^^^^^^^^^^^^^^^^^^^^^
> function returns the length of the string S in bytes. Otherwise it
> returns MAXLEN.
When the text says "the array S of size MAXLEN", it means that the bytes
S[0], S[1], ..., S[MAXLEN-1] must be accessible. Which is not the case if
you pass MAXLEN as > ~(uintptr_t)S.
The implementation could, for example, examine
S[0], S[MAXLEN-1], S[1], S[MAXLEN-2], ...
in this order and thus achieve the "more efficient" statement.
> Does this not imply that Android's strnlen implementation is incorrect?
Android's strnlen [1] is not incorrect, because the same requirements
that hold for memchr also hold for strnlen.
Bruno
[1]
https://android.googlesource.com/platform/bionic.git/+/refs/heads/main/libc/bionic/strnlen.cpp
- Integer overflows in memchr, Po Lu, 2024/06/25
- Re: Integer overflows in memchr, Po Lu, 2024/06/26
- Re: Integer overflows in memchr, Bruno Haible, 2024/06/26
- Re: Integer overflows in memchr, Po Lu, 2024/06/26
- Re: Integer overflows in memchr,
Bruno Haible <=
- Re: Integer overflows in memchr, Po Lu, 2024/06/26
- Re: Integer overflows in memchr, Paul Eggert, 2024/06/26
- Re: Integer overflows in memchr, Paul Eggert, 2024/06/26
- Re: Integer overflows in memchr, Po Lu, 2024/06/26
- Re: Integer overflows in memchr, Po Lu, 2024/06/30
- Re: Integer overflows in memchr, Paul Eggert, 2024/06/30
- Re: Integer overflows in memchr, Po Lu, 2024/06/30
- Re: Integer overflows in memchr, Paul Eggert, 2024/06/30
- Re: Integer overflows in memchr, Po Lu, 2024/06/30
- Re: Integer overflows in memchr, Paul Eggert, 2024/06/30