189525 – ctype isctype function (i.e., isprint, isalpha) seg fault for valid ints

Bug 189525 - ctype isctype function (i.e., isprint, isalpha) seg fault for valid ints

Summary: ctype isctype function (i.e., isprint, isalpha) seg fault for valid ints

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	glibc
Sub Component:
Version:	5
Hardware:	i386
OS:	Linux
Priority:	medium
Severity:	high
Target Milestone:	---
Assignee:	Jakub Jelinek
QA Contact:	Brian Brock
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2006-04-20 18:38 UTC by paul.knowles
Modified:	2007-11-30 22:11 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2006-04-20 20:21:35 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description paul.knowles 2006-04-20 18:38:16 UTC

Description of problem:

The ctype identification functions defined in ctype.h via the 
int isCHARACTERISTIC(int c); and the __exctype (CHARACTERISTIC);
macro do not work correctly for all possible int c values.
If c> 96143 is entered (i386), the call seg faults.

Version-Release number of selected component (if applicable):

The problem has been verified with gcc (GCC) 4.1.0 20060304
(Red Hat 4.1.0-3) on i386 with glibc 2.4-4 (FC5) 
(isprint(96144) seg faults).

The problem has also been seen on x86_64 (FC4) where 
the magic number is 74207.  gcc (GCC) 4.0.2 20051125 and 
gcc32 (GCC) 3.2.3 20030502  with glibc 2.3.6-3.

On FC3, the problem doesn't appear.

How reproducible: always

Steps to Reproduce:
/********************************/
#include <stdio.h>
#include <ctype.h>

int main(void)
{
       int isalnum(96144); // seg fault on i386
       int isalpha(74208); // segfault on x86_64
    /*
       all these functions are affected:
       int iscntrl(int c);
       int isdigit(int c);
       int islower(int c);
       int isgraph(int c);
       int isprint(int c);
       int ispunct(int c);
       int isspace(int c);
       int isupper(int c);
       int isxdigit(int c);
     */
      return 0;
}
/****************************/

Actual results:  seg fault

Expected results: functions defined as accepting int 
 had best work correctly for all int values!

Additional info:

argp() uses isprint() to test option key indices: code that 
compiled and worked on FC3 mysteriously stopped working on 
FC4 and FC5 due to this bug.  If input validation routines 
rely on this test there are possible opportunities for denial of
service attacks.

Comment 1 Jakub Jelinek 2006-04-20 20:21:35 UTC

Please read ISO C99, 7.4 (1):
The header <ctype.h> declares several functions useful for classifying and
mapping characters.  In all cases the argument is an int, the value of which
shall be representable as an unsigned char or shall equal the value of the
macro EOF.  If the argument has any other value, the behavior is undefined.
Similar wording is in POSIX standard, e.g.:
http://www.opengroup.org/onlinepubs/009695399/functions/isalnum.html
A segfault is perfectly valid handling of undefined behavior.

Comment 2 paul.knowles 2006-04-20 20:59:37 UTC

Horray, a perfect implementation of a broken spec.
We should all be _so_ proud.

Note You need to log in before you can comment on or make changes to this bug.