Bug 189525 - ctype isctype function (i.e., isprint, isalpha) seg fault for valid ints
ctype isctype function (i.e., isprint, isalpha) seg fault for valid ints
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: glibc (Show other bugs)
5
i386 Linux
medium Severity high
: ---
: ---
Assigned To: Jakub Jelinek
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-04-20 14:38 EDT by paul.knowles
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-04-20 16:21:35 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description paul.knowles 2006-04-20 14:38:16 EDT
Description of problem:

The ctype identification functions defined in ctype.h via the 
int isCHARACTERISTIC(int c); and the __exctype (CHARACTERISTIC);
macro do not work correctly for all possible int c values.
If c> 96143 is entered (i386), the call seg faults.

Version-Release number of selected component (if applicable):

The problem has been verified with gcc (GCC) 4.1.0 20060304
(Red Hat 4.1.0-3) on i386 with glibc 2.4-4 (FC5) 
(isprint(96144) seg faults).

The problem has also been seen on x86_64 (FC4) where 
the magic number is 74207.  gcc (GCC) 4.0.2 20051125 and 
gcc32 (GCC) 3.2.3 20030502  with glibc 2.3.6-3.

On FC3, the problem doesn't appear.

How reproducible: always

Steps to Reproduce:
/********************************/
#include <stdio.h>
#include <ctype.h>

int main(void)
{
       int isalnum(96144); // seg fault on i386
       int isalpha(74208); // segfault on x86_64
    /*
       all these functions are affected:
       int iscntrl(int c);
       int isdigit(int c);
       int islower(int c);
       int isgraph(int c);
       int isprint(int c);
       int ispunct(int c);
       int isspace(int c);
       int isupper(int c);
       int isxdigit(int c);
     */
      return 0;
}
/****************************/

Actual results:  seg fault

Expected results: functions defined as accepting int 
 had best work correctly for all int values!

Additional info:

argp() uses isprint() to test option key indices: code that 
compiled and worked on FC3 mysteriously stopped working on 
FC4 and FC5 due to this bug.  If input validation routines 
rely on this test there are possible opportunities for denial of
service attacks.
Comment 1 Jakub Jelinek 2006-04-20 16:21:35 EDT
Please read ISO C99, 7.4 (1):
The header <ctype.h> declares several functions useful for classifying and
mapping characters.  In all cases the argument is an int, the value of which
shall be representable as an unsigned char or shall equal the value of the
macro EOF.  If the argument has any other value, the behavior is undefined.
Similar wording is in POSIX standard, e.g.:
http://www.opengroup.org/onlinepubs/009695399/functions/isalnum.html
A segfault is perfectly valid handling of undefined behavior.
Comment 2 paul.knowles 2006-04-20 16:59:37 EDT
Horray, a perfect implementation of a broken spec.
We should all be _so_ proud.

Note You need to log in before you can comment on or make changes to this bug.