Project

General

Profile

Bug #7350

wcsncasecmp reads data from buffers when count is zero

Added by Robert Mustacchi almost 4 years ago. Updated almost 4 years ago.

Status:
Closed
Priority:
Normal
Category:
lib - userland libraries
Start date:
2016-09-01
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
Gerrit CR:

Description

The current construction of wcsncasecmp checks the data in the passed in strings before it checks the value of the specified number of wide characters to check. This means that that when n is zero, it actually reads and compares the first characters of each wide character string and ends up returning something based on that value. This is incorrect. While the behavior when the number of characters is zero, most other implementations just return zero and in fact don't potentially crash. The following program will crash:

#include <wchar.h>
#include <stdio.h>
#include <stdint.h>

int
main(void)
{
        int ret;
        wchar_t *a = (void *)(uintptr_t)0x8;
        wchar_t *b = (void *)(uintptr_t)0x32;

        ret = wcsncasecmp(a, b, 0);
        printf("%d\n", ret);
        return (0);
}

History

#1

Updated by Electric Monk almost 4 years ago

  • Status changed from New to Closed

git commit f2d34afa1058d195513e7ab9a6c1f0ce38b4d05b

commit  f2d34afa1058d195513e7ab9a6c1f0ce38b4d05b
Author: Robert Mustacchi <rm@joyent.com>
Date:   2016-09-07T23:05:51.000Z

    7350 wcsncasecmp reads data from buffers when count is zero
    7344 wcsncasecmp shouldn't take one for the road
    Reviewed by: Dan McDonald <danmcd@omniti.com>
    Reviewed by: Ryan Zezeski <ryan@zinascii.com>
    Reviewed by: James Blachly <james.blachly@gmail.com>
    Approved by: Richard Lowe <richlowe@richlowe.net>

Also available in: Atom PDF