Bug#323811: libc6: initstate_r segfaults
Package: libc6
Version: 2.3.5-3
Severity: normal
Hi!
There appears to be a problem with the reentrant version of the
initstate() function.
Testcode:
#include <stdlib.h>
int main(int argc, char**argv)
{
struct random_data rand_data;
char rand_state[256];
// this fixes the segfault:
// rand_data.state = (int32_t*)rand_state;
initstate_r(time(0), rand_state, sizeof(rand_state), &rand_data);
}
david@zion:~/tmp$ gcc -o foo ./initstate_r_test.c
david@zion:~/tmp$ LD_LIBRARY_PATH=/usr/lib/debug/ gdb ./foo
(gdb) run
Starting program: /home/david/tmp/foo
Program received signal SIGSEGV, Segmentation fault.
0xb7e9d601 in __initstate_r (seed=1124379248, arg_state=0xbf889edc "",
n=256, buf=0xbf889fdc) at random_r.c:254
254 random_r.c: No such file or directory.
in random_r.c
(gdb)
In line 254, __initstate_r tries to set rand_data.state[-1], which
obviously fails, since rand_data is not initialised yet. The comment
claims that the function returns a pointer to the old state. This is
bogus, as the reentrant versions don't act on a global state and the
function has a return type of int.
Reading stdlib/random.c shows, that __initstate_r is designed to work with
an _already_initialised_ rand_state.
Regards, David
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-p4-suspend2-4
Locale: LANG=C, LC_CTYPE=de_AT.UTF-8 (charmap=UTF-8)
-- no debconf information
Reply to: