netbsd-bugs: lib/23419: Bug in libc/mbsrtowcs

Subject: lib/23419: Bug in libc/mbsrtowcs
To: None <gnats-bugs@gnats.netbsd.org>
From: None <thorbjorn@jemander.net>
List: netbsd-bugs
Date: 11/12/2003 21:16:28
>Number:         23419
>Category:       lib
>Synopsis:       mbsrtowcs() core dumps when argument 1 is NULL.
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    lib-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Nov 12 21:17:00 UTC 2003
>Closed-Date:
>Last-Modified:
>Originator:     Thorbjorn Jemander
>Release:        NetBSD 1.6.1
>Organization:
>Environment:
System: NetBSD tellus 1.6.1 NetBSD 1.6.1 (TK1-NOIP6) #2: Tue Jul 29 22:10:37 CEST 2003 thorman@tellus:/usr/src/sys/arch/i386/compi
le/TK1-NOIP6 i386
Architecture: i386
Machine: i386
>Description:
According to NetBSD man pages and Google, passing NULL in argument 1
in mbsetowcs() is legal. Doing so under Linux runs OK. Doing so
under NetBSD 1.6.1 causes a core-dump.

>How-To-Repeat:

[21:02:01]thorman@tellus:~/tmp>cat > t.c
#include <wchar.h>
#include <string.h>

const char str[]="jaskdj";

int
main(int argc, char **argv)
{
    const char *p=str;
    mbstate_t mbstate;
    memset(&mbstate, 0, sizeof(mbstate_t));
    mbsrtowcs((wchar_t*)NULL, &p, 0, &mbstate);
}
[21:02:20]thorman@tellus:~/tmp>cc t.c -o t
[21:02:28]thorman@tellus:~/tmp>gdb t
GNU gdb 5.2.1
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-unknown-netbsdelf1.6.1"...
(no debugging symbols found)...
(gdb) run
Starting program: /home/thorman/tmp/t
(no debugging symbols found)...(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x480dd6da in __sclose () from /usr/lib/libc.so.12
(gdb) bt
#0  0x480dd6da in __sclose () from /usr/lib/libc.so.12
#1  0x480d9c25 in mbsrtowcs () from /usr/lib/libc.so.12
#2  0x0804898b in main ()
#3  0x08048750 in ___start ()

>Fix:
The solution[1] is patching libc: (/usr/src/lib/libc):

Index: citrus/citrus_none.c
===================================================================
RCS file: /cvsroot/src/lib/libc/citrus/citrus_none.c,v
retrieving revision 1.4.2.1
diff -r1.4.2.1 citrus_none.c
168c168
<       if (*wcs)
---
>       if (wcs != NULL && *wcs)




[1] I haven't actually tested it (not able to do that with
a reasonable effort), but it seems likely.

>Release-Note:
>Audit-Trail:
>Unformatted: