[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#323811: libc6: initstate_r segfaults

Package: libc6
Version: 2.3.5-3
Severity: normal


There appears to be a problem with the reentrant version of the
initstate() function. 


#include <stdlib.h>
int main(int argc, char**argv)
	struct random_data rand_data;
	char rand_state[256];
	// this fixes the segfault:
	// rand_data.state = (int32_t*)rand_state;
	initstate_r(time(0), rand_state, sizeof(rand_state), &rand_data);

david@zion:~/tmp$ gcc -o foo ./initstate_r_test.c 
david@zion:~/tmp$ LD_LIBRARY_PATH=/usr/lib/debug/ gdb ./foo
(gdb) run
Starting program: /home/david/tmp/foo 

Program received signal SIGSEGV, Segmentation fault.
0xb7e9d601 in __initstate_r (seed=1124379248, arg_state=0xbf889edc "",
n=256, buf=0xbf889fdc) at random_r.c:254
254     random_r.c: No such file or directory.
        in random_r.c

In line 254, __initstate_r tries to set rand_data.state[-1], which
obviously fails, since rand_data is not initialised yet. The comment
claims that the function returns a pointer to the old state. This is
bogus, as the reentrant versions don't act on a global state and the
function has a return type of int.

Reading stdlib/random.c shows, that __initstate_r is designed to work with
an _already_initialised_ rand_state.

Regards, David

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-p4-suspend2-4
Locale: LANG=C, LC_CTYPE=de_AT.UTF-8 (charmap=UTF-8)

-- no debconf information

Reply to: