From: Alejandro Colomar <alx@kernel.org>
To: bug-gnulib@gnu.org
Cc: "Alejandro Colomar" <alx@kernel.org>,
"Paul Eggert" <eggert@cs.ucla.edu>,
"Đoàn Trần Công Danh" <congdanhqx@gmail.com>,
"Eli Schwartz" <eschwartz93@gmail.com>,
"Sam James" <sam@gentoo.org>, "Serge Hallyn" <serge@hallyn.com>,
"Iker Pedrosa" <ipedrosa@redhat.com>,
"Andrew J. Hesford" <ajh@sideband.org>,
"Michael Vetter" <jubalh@iodoru.org>,
liba2i@lists.linux.dev
Subject: [PATCH v1] xstrtol: 1 is not a valid base
Date: Thu, 18 Jul 2024 18:52:07 +0200 [thread overview]
Message-ID: <20240718165154.38938-1-alx@kernel.org> (raw)
[-- Attachment #1: Type: text/plain, Size: 1911 bytes --]
If xstrtol() was being called with a base of 1, under some conditions it
would invoke Undefined Behavior.
Here's the code that would trigger UB:
char *end;
xstrtol(str, &end, 1, ...); // Let's ignore trailing args.
The reason why this triggers UB is that since the following line lets a
base of 1 go through:
assure (0 <= strtol_base && strtol_base <= 36);
then we arrive at this call:
tmp = __strtol (s, p, strtol_base);
which sets errno to EINVAL and returns 0 immediately, without updating
the 'p' pointer. Then, the following line of code:
if (*p == s)
dereferences an uninitialized pointer.
This was found while searching for examples of why strtol(3) is a bad
API, and how it makes it so easy to misuse.
Fixes: 034a18049cbc (2014-12-20, "assure: new module")
Link: <https://github.com/void-linux/void-packages/issues/51261#issuecomment-2237013621>
Cc: Paul Eggert <eggert@cs.ucla.edu>
Cc: Đoàn Trần Công Danh <congdanhqx@gmail.com>
Cc: Eli Schwartz <eschwartz93@gmail.com>
Cc: Sam James <sam@gentoo.org>
Cc: Serge Hallyn <serge@hallyn.com>
Cc: Iker Pedrosa <ipedrosa@redhat.com>
Cc: "Andrew J. Hesford" <ajh@sideband.org>
Cc: Michael Vetter <jubalh@iodoru.org>
Cc: <liba2i@lists.linux.dev>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
---
Range-diff against v0:
-: ---------- > 1: 49c4c25b0a xstrtol: 1 is not a valid base
lib/xstrtol.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/xstrtol.c b/lib/xstrtol.c
index e4bce43681..575c16d45f 100644
--- a/lib/xstrtol.c
+++ b/lib/xstrtol.c
@@ -83,7 +83,7 @@ __xstrtol (const char *s, char **ptr, int strtol_base,
__strtol_t tmp;
strtol_error err = LONGINT_OK;
- assure (0 <= strtol_base && strtol_base <= 36);
+ assure (0 == strtol_base || (2 <= strtol_base && strtol_base <= 36));
p = (ptr ? ptr : &t_ptr);
--
2.45.2
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next reply other threads:[~2024-07-18 16:52 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-18 16:52 Alejandro Colomar [this message]
2024-07-18 18:06 ` [PATCH v1] xstrtol: 1 is not a valid base Bruno Haible
2024-07-18 19:53 ` Alejandro Colomar
2024-07-19 16:47 ` Bruno Haible
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240718165154.38938-1-alx@kernel.org \
--to=alx@kernel.org \
--cc=ajh@sideband.org \
--cc=bug-gnulib@gnu.org \
--cc=congdanhqx@gmail.com \
--cc=eggert@cs.ucla.edu \
--cc=eschwartz93@gmail.com \
--cc=ipedrosa@redhat.com \
--cc=jubalh@iodoru.org \
--cc=liba2i@lists.linux.dev \
--cc=sam@gentoo.org \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox