Bug 110854 - ctime function crash data in memory allocated before his first call
Summary: ctime function crash data in memory allocated before his first call
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: libc   
(Show other bugs)
Version: 9
Hardware: i686
OS: Linux
high
high
Target Milestone: ---
Assignee: Jakub Jelinek
QA Contact:
URL: http://www.chasqui.cu
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2003-11-24 21:39 UTC by Iosvany Moya Cruz
Modified: 2005-10-31 22:00 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2003-12-02 16:32:16 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Iosvany Moya Cruz 2003-11-24 21:39:23 UTC
Description of problem:
The follow code makes a wrong output but if we uncomment the 
line "//ctime(&bug);" -> "ctime(&bug);" it make a right output.
evidently ctime() funciton from the standard library crash the data...
Ups this is a bug or not!!??

-- start code --

#include <stdio.h>
#include <string.h>
#include <time.h>

typedef struct list_struct { char *string; struct list_struct *next;} 
list_t;

static list_t *head_ptr = NULL;
 
int main(int argc, char *argv[])
{
   char cmd[8912];list_t *newnode;time_t bug; time(&bug);
   // ctime(&bug);
   while(fgets(cmd, 8912, stdin) != NULL) 
      { if (*(cmd + strlen(cmd) - 1) == '\n') *(cmd + strlen(cmd) - 
1) = 0;
        newnode = (list_t *)(malloc(sizeof(list_t) + strlen(cmd) + 
1)) ;
        newnode->string = (char *)(newnode + sizeof(list_t));
        strcpy( newnode->string, cmd );
        newnode->next = head_ptr; head_ptr = newnode; }
   while (head_ptr != NULL) 
     { 	printf("%s afterwards %s\n",head_ptr->string, ctime(&bug));
     	head_ptr = head_ptr->next; }   
   return 0;
}

-- end code --


Version-Release number of selected component (if applicable):
glibc-2.3.2-11.9

How reproducible:
Every time

Steps to Reproduce:
1.allocate memory for more than one char*
2.first call to ctime() after step 1
3.prints the char*
  
Actual results:
the first char* is OK but rest are crashed

Expected results:
All char* be OK

Additional info:
If we makes the first call to ctime function before allocate memory 
to our char* every things are all right...

Comment 1 Jakub Jelinek 2003-12-02 16:32:16 UTC
Your testcase is buggy.
(char *)(newnode + sizeof(list_t));
may well point beyond end of the allocated buffer and if not (e.g. when the string is long),
certainly the end of the string will overflow the buffer.  Guess you meant either
(char *)(newnode + 1) or (char *) newnode + sizeof(list_t).


Note You need to log in before you can comment on or make changes to this bug.