Bug 189525
| Summary: | ctype isctype function (i.e., isprint, isalpha) seg fault for valid ints | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | paul.knowles |
| Component: | glibc | Assignee: | Jakub Jelinek <jakub> |
| Status: | CLOSED NOTABUG | QA Contact: | Brian Brock <bbrock> |
| Severity: | high | Docs Contact: | |
| Priority: | medium | ||
| Version: | 5 | ||
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2006-04-20 20:21:35 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Please read ISO C99, 7.4 (1): The header <ctype.h> declares several functions useful for classifying and mapping characters. In all cases the argument is an int, the value of which shall be representable as an unsigned char or shall equal the value of the macro EOF. If the argument has any other value, the behavior is undefined. Similar wording is in POSIX standard, e.g.: http://www.opengroup.org/onlinepubs/009695399/functions/isalnum.html A segfault is perfectly valid handling of undefined behavior. Horray, a perfect implementation of a broken spec. We should all be _so_ proud. |
Description of problem: The ctype identification functions defined in ctype.h via the int isCHARACTERISTIC(int c); and the __exctype (CHARACTERISTIC); macro do not work correctly for all possible int c values. If c> 96143 is entered (i386), the call seg faults. Version-Release number of selected component (if applicable): The problem has been verified with gcc (GCC) 4.1.0 20060304 (Red Hat 4.1.0-3) on i386 with glibc 2.4-4 (FC5) (isprint(96144) seg faults). The problem has also been seen on x86_64 (FC4) where the magic number is 74207. gcc (GCC) 4.0.2 20051125 and gcc32 (GCC) 3.2.3 20030502 with glibc 2.3.6-3. On FC3, the problem doesn't appear. How reproducible: always Steps to Reproduce: /********************************/ #include <stdio.h> #include <ctype.h> int main(void) { int isalnum(96144); // seg fault on i386 int isalpha(74208); // segfault on x86_64 /* all these functions are affected: int iscntrl(int c); int isdigit(int c); int islower(int c); int isgraph(int c); int isprint(int c); int ispunct(int c); int isspace(int c); int isupper(int c); int isxdigit(int c); */ return 0; } /****************************/ Actual results: seg fault Expected results: functions defined as accepting int had best work correctly for all int values! Additional info: argp() uses isprint() to test option key indices: code that compiled and worked on FC3 mysteriously stopped working on FC4 and FC5 due to this bug. If input validation routines rely on this test there are possible opportunities for denial of service attacks.