[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Integer overflows in memchr
From: |
Po Lu |
Subject: |
Re: Integer overflows in memchr |
Date: |
Wed, 26 Jun 2024 20:18:15 +0800 |
User-agent: |
Gnus/5.13 (Gnus v5.13) |
Bruno Haible <bruno@clisp.org> writes:
> When the text says "the array S of size MAXLEN", it means that the bytes
> S[0], S[1], ..., S[MAXLEN-1] must be accessible. Which is not the case if
> you pass MAXLEN as > ~(uintptr_t)S.
>
> The implementation could, for example, examine
> S[0], S[MAXLEN-1], S[1], S[MAXLEN-2], ...
> in this order and thus achieve the "more efficient" statement.
Then the libc documentation is self-contradictory, because this is not
even remotely equivalent to (strlen (S) < MAXLEN ? strlen (S) : MAXLEN),
not to mention inconsistent with established usage, in Emacs no less
than in Gnulib and glibc themselves. lib/fnmatch.c:
int
fnmatch (const char *pattern, const char *string, int flags)
{
if (__glibc_unlikely (MB_CUR_MAX != 1))
{
mbstate_t ps;
size_t n;
const char *p;
WCHAR_T *wpattern_malloc = NULL;
WCHAR_T *wpattern;
WCHAR_T *wstring_malloc = NULL;
WCHAR_T *wstring;
size_t alloca_used = 0;
/* Convert the strings into wide characters. */
memset (&ps, '\0', sizeof (ps));
p = pattern;
n = strnlen (pattern, 1024);
What guarantees that all 1024 bytes subsequent to PATTERN will be
accessible?
- Integer overflows in memchr, Po Lu, 2024/06/25
- Re: Integer overflows in memchr, Po Lu, 2024/06/26
- Re: Integer overflows in memchr, Bruno Haible, 2024/06/26
- Re: Integer overflows in memchr, Po Lu, 2024/06/26
- Re: Integer overflows in memchr, Bruno Haible, 2024/06/26
- Re: Integer overflows in memchr,
Po Lu <=
- Re: Integer overflows in memchr, Paul Eggert, 2024/06/26
- Re: Integer overflows in memchr, Paul Eggert, 2024/06/26
- Re: Integer overflows in memchr, Po Lu, 2024/06/26
- Re: Integer overflows in memchr, Po Lu, 2024/06/30
- Re: Integer overflows in memchr, Paul Eggert, 2024/06/30
- Re: Integer overflows in memchr, Po Lu, 2024/06/30
- Re: Integer overflows in memchr, Paul Eggert, 2024/06/30
- Re: Integer overflows in memchr, Po Lu, 2024/06/30
- Re: Integer overflows in memchr, Paul Eggert, 2024/06/30
- Re: Integer overflows in memchr, Po Lu, 2024/06/30