Re: Bug in TRE regular expression library

To: tech-misc%NetBSD.org@localhost
Subject: Re: Bug in TRE regular expression library
From: der Mouse <mouse%Rodents-Montreal.ORG@localhost>
Date: Tue, 20 Jul 2010 15:58:16 -0400 (EDT)

>> Which example?
> Sorry, I forgot it.  It is now added below.

>   scanf ("*%s");

While I can't see it as being your problem, this looks..questionable,
at the very least.  If the input line at this point begins with a *,
scanf will, at best, misuse stack trash as if it were a pointer and
segfault immediately; more pessimistically, misuse stack trash as if it
were a pointer and scribble on some random data structure somewhere,
leading to cryptic misbehaviour at some difficult-to-predict later
point.

If the input doesn't begin with a *, I think our implementation will
not misbehave, but I also think this is an accident of the
implementation and should not be counted on - I don't think C and/or
stdio promise that omitting arguments like this is acceptable even if
they're not stored through.  (For example, scanf might fetch the
pointer, even if it doesn't store through it, and if the machine has
trap representations for pointers it may crash when doing so.)

/~\ The ASCII                             Mouse
\ / Ribbon Campaign
 X  Against HTML                mouse%rodents-montreal.org@localhost
/ \ Email!           7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B

Follow-Ups:
- Re: Bug in TRE regular expression library
  - From: Ralf Junker

References:
- Bug in TRE regular expression library
  - From: Ralf Junker
- Re: Bug in TRE regular expression library
  - From: Christos Zoulas
- Re: Bug in TRE regular expression library
  - From: Ralf Junker

Prev by Date: Re: Bug in TRE regular expression library
Next by Date: Re: Bug in TRE regular expression library
Previous by Thread: Re: Bug in TRE regular expression library
Next by Thread: Re: Bug in TRE regular expression library
Indexes:

Home | Main Index | Thread Index | Old Index