This service will be undergoing maintenance at 00:00 UTC, 2016-09-28. It is expected to last about 1 hours
Bug 110854 - ctime function crash data in memory allocated before his first call
ctime function crash data in memory allocated before his first call
Status: CLOSED NOTABUG
Product: Red Hat Linux
Classification: Retired
Component: libc (Show other bugs)
9
i686 Linux
high Severity high
: ---
: ---
Assigned To: Jakub Jelinek
http://www.chasqui.cu
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2003-11-24 16:39 EST by Iosvany Moya Cruz
Modified: 2005-10-31 17:00 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2003-12-02 11:32:16 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Iosvany Moya Cruz 2003-11-24 16:39:23 EST
Description of problem:
The follow code makes a wrong output but if we uncomment the 
line "//ctime(&bug);" -> "ctime(&bug);" it make a right output.
evidently ctime() funciton from the standard library crash the data...
Ups this is a bug or not!!??

-- start code --

#include <stdio.h>
#include <string.h>
#include <time.h>

typedef struct list_struct { char *string; struct list_struct *next;} 
list_t;

static list_t *head_ptr = NULL;
 
int main(int argc, char *argv[])
{
   char cmd[8912];list_t *newnode;time_t bug; time(&bug);
   // ctime(&bug);
   while(fgets(cmd, 8912, stdin) != NULL) 
      { if (*(cmd + strlen(cmd) - 1) == '\n') *(cmd + strlen(cmd) - 
1) = 0;
        newnode = (list_t *)(malloc(sizeof(list_t) + strlen(cmd) + 
1)) ;
        newnode->string = (char *)(newnode + sizeof(list_t));
        strcpy( newnode->string, cmd );
        newnode->next = head_ptr; head_ptr = newnode; }
   while (head_ptr != NULL) 
     { 	printf("%s afterwards %s\n",head_ptr->string, ctime(&bug));
     	head_ptr = head_ptr->next; }   
   return 0;
}

-- end code --


Version-Release number of selected component (if applicable):
glibc-2.3.2-11.9

How reproducible:
Every time

Steps to Reproduce:
1.allocate memory for more than one char*
2.first call to ctime() after step 1
3.prints the char*
  
Actual results:
the first char* is OK but rest are crashed

Expected results:
All char* be OK

Additional info:
If we makes the first call to ctime function before allocate memory 
to our char* every things are all right...
Comment 1 Jakub Jelinek 2003-12-02 11:32:16 EST
Your testcase is buggy.
(char *)(newnode + sizeof(list_t));
may well point beyond end of the allocated buffer and if not (e.g. when the string is long),
certainly the end of the string will overflow the buffer.  Guess you meant either
(char *)(newnode + 1) or (char *) newnode + sizeof(list_t).

Note You need to log in before you can comment on or make changes to this bug.