Bug 2072329

Summary: mbsrtowcs and mbsnrtowcs fortification should be skipped for NULL __dst [rhl-8.7.0]
Product: Red Hat Enterprise Linux 8 Reporter: Siddhesh Poyarekar <sipoyare>
Component: glibcAssignee: Siddhesh Poyarekar <sipoyare>
Status: CLOSED ERRATA QA Contact: Martin Coufal <mcoufal>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.7CC: ashankar, codonell, dj, fweimer, mcoufal, mnewsome, pfrankli, sipoyare
Target Milestone: rcKeywords: Regression, Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: glibc-2.28-199.el8 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-11-08 10:43:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Siddhesh Poyarekar 2022-04-06 02:45:54 UTC 
Description of problem:
One of the patches backported for bug 2033684 results in a regression for mbsrtowcs where providing a NULL destination should result in the input length being ignored, but it isn't.

Version-Release number of selected component (if applicable):
glibc-2.28-194.el8

How reproducible:
Always

Steps to Reproduce:

$ cat > test.c
    #include <wchar.h>

    int main (void)
    {
        const char *hw = "HelloWorld";
        mbsrtowcs (NULL, &hw, (size_t)-1, NULL);
        return 0;
    }

$ gcc -O2 -Wp,-D_FORTIFY_SOURCE=2 test.c -o test && ./test

Actual results:
    In file included from /usr/include/features.h:490,
                     from /usr/include/bits/libc-header-start.h:33,
                     from /usr/include/wchar.h:27,
                     from test.c:1:
    In function 'mbsrtowcs',
        inlined from 'main' at test.c:6:9:
    /usr/include/bits/wchar2.h:428:10: warning: call to '__mbsrtowcs_chk_warn' declared with attribute warning: mbsrtowcs called with dst buffer smaller than len * sizeof (wchar_t) [-Wattribute-warning]
      428 |   return __glibc_fortify_n (mbsrtowcs, __len, sizeof (wchar_t),
          |          ^~~~~~~~~~~~~~~~~

Expected results:
No warnings and no crash.

Additional info:
Comment 1 Carlos O'Donell 2022-04-06 17:04:38 UTC 
When fixing mbstowcs we had the same issue.

I noted this in commit 61af4bbb2ae5a4eefc4c4243135747bbdb0f0684
    
    The mbsrtowcs and mbsnrtowcs behave similarly, and mbsrtowcs is
    documented as doing this in C11, even if the standard doesn't come out
    and call out this specific use case.  We add one note to each of
    mbsrtowcs and mbsnrtowcs to call out that they support a null pointer
    for the destination.

... but I didn't extend the test case to cover these, sorry!
Comment 8 errata-xmlrpc 2022-11-08 10:43:12 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (glibc bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:7684