Bug#416928: marked as done (libc6: off-by-one bug in strxfrm())

To: Aurelien Jarno <aurelien@aurel32.net>
Subject: Bug#416928: marked as done (libc6: off-by-one bug in strxfrm())
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Tue, 24 Apr 2007 23:06:03 +0000
Message-id: <[🔎] handler.416928.D416928.117745587524762.ackdone@bugs.debian.org>
References: <20070424230436.GA20118@volta.aurel32.net> <814371d60703310749o71a5bd6eya43afda6cd5ba385@mail.gmail.com>

Your message dated Wed, 25 Apr 2007 01:04:36 +0200
with message-id <20070424230436.GA20118@volta.aurel32.net>
and subject line libc6: off-by-one bug in strxfrm()
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--- Begin Message ---

To: "Debian BTS" <submit@bugs.debian.org>
Subject: libc6: off-by-one bug in strxfrm()
From: "Piotr Engelking" <inkerman42@gmail.com>
Date: Sat, 31 Mar 2007 16:49:13 +0200
Message-id: <814371d60703310749o71a5bd6eya43afda6cd5ba385@mail.gmail.com>

Package: libc6
Version: 2.3.6.ds1-13
Severity: normal

The result of strxfrm() varies depending on the length of the destination
buffer. In particular, in the pl_PL.UTF8 locale, strxfrm(buf, "a", i)
returns 6 for i <= 6, and 5 for i > 6 (and the string placed in the
destination buffer does, indeed, have the length of 5). This mismatch is
probably unintended. It is also a violation of the C standard, which states:

   "The  strxfrm  function  returns  the  length  of  the transformed
   string (not including the terminating null character)."


Steps to reproduce:

$ cat foo.c
#include <locale.h>
#include <stdio.h>
#include <string.h>

int
main(void)
{
   char buf[42];
   size_t i;

   printf("%s\n", setlocale(LC_COLLATE, "pl_PL.UTF8"));

   for (i = 0; i <= 9; ++i)
   {
       char *p;

       memset(buf, '\0', sizeof(buf));
       printf("%zd: %zd:", i, strxfrm(buf, "a", i));

       for (p = buf; *p; ++p)
           printf(" %02x", (int)*p);

       printf("\n");
   }

   return 0;
}
$ gcc foo.c && ./a.out
pl_PL.UTF8
0: 6:
1: 6:
2: 6: 0c 01
3: 6: 0c 01
4: 6: 0c 01 08 01
5: 6: 0c 01 08 01
6: 6: 0c 01 08 01 02 01
7: 5: 0c 01 08 01 02
8: 5: 0c 01 08 01 02
9: 5: 0c 01 08 01 02
$


-- System Information:
Debian Release: 4.0
 APT prefers testing
 APT policy: (500, 'testing')
Architecture: i386 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18
Locale: LANG=C, LC_CTYPE=pl_PL.UTF8 (charmap=UTF-8)

Versions of packages libc6 depends on:
ii  tzdata                        2007b-1    Time Zone and Daylight Saving Time

libc6 recommends no packages.

-- no debconf information

--- End Message ---

--- Begin Message ---

To: 416928-done@bugs.debian.org
Subject: Re: libc6: off-by-one bug in strxfrm()
From: Aurelien Jarno <aurelien@aurel32.net>
Date: Wed, 25 Apr 2007 01:04:36 +0200
Message-id: <20070424230436.GA20118@volta.aurel32.net>
In-reply-to: <814371d60703310749o71a5bd6eya43afda6cd5ba385@mail.gmail.com>
References: <814371d60703310749o71a5bd6eya43afda6cd5ba385@mail.gmail.com>

On Sat, Mar 31, 2007 at 04:49:13PM +0200, Piotr Engelking wrote:
> Package: libc6
> Version: 2.3.6.ds1-13
> Severity: normal
> 
> The result of strxfrm() varies depending on the length of the destination
> buffer. In particular, in the pl_PL.UTF8 locale, strxfrm(buf, "a", i)
> returns 6 for i <= 6, and 5 for i > 6 (and the string placed in the
> destination buffer does, indeed, have the length of 5). This mismatch is
> probably unintended. It is also a violation of the C standard, which states:
> 
>    "The  strxfrm  function  returns  the  length  of  the transformed
>    string (not including the terminating null character)."
> 
> 
> Steps to reproduce:
> 
> $ cat foo.c
> #include <locale.h>
> #include <stdio.h>
> #include <string.h>
> 
> int
> main(void)
> {
>    char buf[42];
>    size_t i;
> 
>    printf("%s\n", setlocale(LC_COLLATE, "pl_PL.UTF8"));
> 
>    for (i = 0; i <= 9; ++i)
>    {
>        char *p;
> 
>        memset(buf, '\0', sizeof(buf));
>        printf("%zd: %zd:", i, strxfrm(buf, "a", i));
> 
>        for (p = buf; *p; ++p)
>            printf(" %02x", (int)*p);
> 
>        printf("\n");
>    }
> 
>    return 0;
> }
> $ gcc foo.c && ./a.out
> pl_PL.UTF8
> 0: 6:
> 1: 6:
> 2: 6: 0c 01
> 3: 6: 0c 01
> 4: 6: 0c 01 08 01
> 5: 6: 0c 01 08 01
> 6: 6: 0c 01 08 01 02 01
> 7: 5: 0c 01 08 01 02
> 8: 5: 0c 01 08 01 02
> 9: 5: 0c 01 08 01 02
> $
> 
> 

I am able to reproduce this bug using a glibc 2.3.6, but not using a
glibc 2.5. I guess the bug has been fixed, so I am closing the bug.

-- 
  .''`.  Aurelien Jarno	            | GPG: 1024D/F1BCDB73
 : :' :  Debian developer           | Electrical Engineer
 `. `'   aurel32@debian.org         | aurelien@aurel32.net
   `-    people.debian.org/~aurel32 | www.aurel32.net

--- End Message ---

Reply to:

Prev by Date: Bug#419344: marked as done (Debconf script incorrectly returns an error on cancellation)
Next by Date: r2127 - in glibc-package/trunk/debian: . patches patches/hurd-i386
Previous by thread: r2126 - in glibc-package/trunk/debian: . po
Next by thread: r2127 - in glibc-package/trunk/debian: . patches patches/hurd-i386
Index(es):
- Date
- Thread