Re: Integer overflows in memchr

[Bruno Haible]

Po Lu wrote:
> I believe that the semantics of the POSIX specification of this GNU
> function omit the implied guarantee that strnlen will never examine
> bytes beyond the first null byte

There is no such guarantee, not even implied.

> , made in (libc)String Length:
> 
>      If the array S of size MAXLEN contains a null byte, the ‘strnlen’
          ^^^^^^^^^^^^^^^^^^^^^^^^^^
>      function returns the length of the string S in bytes.  Otherwise it
>      returns MAXLEN.

When the text says "the array S of size MAXLEN", it means that the bytes
S[0], S[1], ..., S[MAXLEN-1] must be accessible. Which is not the case if
you pass MAXLEN as > ~(uintptr_t)S.

The implementation could, for example, examine
  S[0], S[MAXLEN-1], S[1], S[MAXLEN-2], ...
in this order and thus achieve the "more efficient" statement.

> Does this not imply that Android's strnlen implementation is incorrect?

Android's strnlen [1] is not incorrect, because the same requirements
that hold for memchr also hold for strnlen.

Bruno

[1] 
https://android.googlesource.com/platform/bionic.git/+/refs/heads/main/libc/bionic/strnlen.cpp