path: root/src/stdlib
diff options
authorRich Felker <>2018-09-15 02:33:08 -0400
committerRich Felker <>2018-09-15 02:48:25 -0400
commitd6c855caa88ddb1ab6e24e23a14b1e7baf4ba9c7 (patch)
tree490ebfe77ff5866f5052d399dcbcfeedaf82a329 /src/stdlib
parentc84971995b3a6d5118f9357c040572f4c78bcd55 (diff)
fix undefined behavior in strto* via FILE buffer pointer abuse
in order to produce FILE objects to pass to the intscan/floatscan backends without any (prohibitively costly) extra buffering layer, the strto* functions set the FILE's rend (read end) buffer pointer to an invalid value at the end of the address space, or SIZE_MAX/2 past the beginning of the string. this led to undefined behavior comparing and subtracting the end pointer with the buffer position pointer (rpos). the comparison issue is easily eliminated by using != instead of <. however the subtractions require nontrivial changes: previously, f->shcnt stored the count that would have been read if consuming the whole buffer, which required an end pointer for the buffer. the purpose for this was that it allowed reading it and adding rpos-rend at any time to get the actual count so far, and required no adjustment at the time of __shgetc (actual function call) since the call would only happen when reaching the end of the buffer. to get rid of the dependency on rend, instead offset shcnt by buf-rpos (start of buffer) at the time of last __shlim/__shgetc call. this makes for slightly more work in __shgetc the function, but for the inline macro it's still just as easy to compute the current count. since the scan helper interfaces used here are a big hack, comments are added to document their contracts and what's going on with their implementations.
Diffstat (limited to 'src/stdlib')
2 files changed, 3 insertions, 12 deletions
diff --git a/src/stdlib/strtod.c b/src/stdlib/strtod.c
index a898b1d4..a5d0118a 100644
--- a/src/stdlib/strtod.c
+++ b/src/stdlib/strtod.c
@@ -5,10 +5,8 @@
static long double strtox(const char *s, char **p, int prec)
- FILE f = {
- .buf = (void *)s, .rpos = (void *)s,
- .rend = (void *)-1, .lock = -1
- };
+ FILE f;
+ sh_fromstring(&f, s);
shlim(&f, 0);
long double y = __floatscan(&f, prec, 1);
off_t cnt = shcnt(&f);
diff --git a/src/stdlib/strtol.c b/src/stdlib/strtol.c
index d82ecf7f..bfefea69 100644
--- a/src/stdlib/strtol.c
+++ b/src/stdlib/strtol.c
@@ -7,15 +7,8 @@
static unsigned long long strtox(const char *s, char **p, int base, unsigned long long lim)
- /* FIXME: use a helper function or macro to setup the FILE */
- f.flags = 0;
- f.buf = f.rpos = (void *)s;
- if ((size_t)s > (size_t)-1/2)
- f.rend = (void *)-1;
- else
- f.rend = (unsigned char *)s+(size_t)-1/2;
- f.lock = -1;
+ sh_fromstring(&f, s);
shlim(&f, 0);
unsigned long long y = __intscan(&f, base, 1, lim);
if (p) {