Bug#453408: libc6: sscanf dies on an empty string if %as is used
Package: libc6
Version: 2.7-2
Severity: normal
the following code can show you that sscanf() on empty string gets
invalid pointer if %as is used.
#include <stdio.h>
int main()
{
char *buf = "";
char *str;
sscanf (buf, "%as", &str);
printf("%s\n", str);
return 0;
}
a backtrace is below. Hope I'm not doing anything stupid.
regards,
--
yashi
(gdb) r
Starting program: /tmp/a.out
*** glibc detected *** /tmp/a.out: munmap_chunk(): invalid pointer: 0x00007fff5f9a89b0 ***
======= Backtrace: =========
/usr/lib/debug/libc.so.6(cfree+0x1b6)[0x2b614b395d06]
/usr/lib/debug/libc.so.6(_IO_vfscanf+0x239f)[0x2b614b37329f]
/usr/lib/debug/libc.so.6(vsscanf+0x75)[0x2b614b383c85]
/usr/lib/debug/libc.so.6(_IO_sscanf+0x88)[0x2b614b37e8b8]
/tmp/a.out[0x40050f]
/usr/lib/debug/libc.so.6(__libc_start_main+0xf4)[0x2b614b33c1c4]
/tmp/a.out[0x400459]
======= Memory map: ========
00400000-00401000 r-xp 00000000 08:21 1457336 /tmp/a.out
00600000-00601000 rw-p 00000000 08:21 1457336 /tmp/a.out
00601000-00622000 rw-p 00601000 00:00 0 [heap]
2b614b100000-2b614b11d000 r-xp 00000000 08:21 292480 /lib/ld-2.7.so
2b614b11d000-2b614b120000 rw-p 2b614b11d000 00:00 0
2b614b31c000-2b614b31e000 rw-p 0001c000 08:21 292480 /lib/ld-2.7.so
2b614b31e000-2b614b472000 r-xp 00000000 08:21 23996 /usr/lib/debug/libc-2.7.so
2b614b472000-2b614b672000 ---p 00154000 08:21 23996 /usr/lib/debug/libc-2.7.so
2b614b672000-2b614b676000 r--p 00154000 08:21 23996 /usr/lib/debug/libc-2.7.so
2b614b676000-2b614b677000 rw-p 00158000 08:21 23996 /usr/lib/debug/libc-2.7.so
2b614b677000-2b614b67d000 rw-p 2b614b677000 00:00 0
2b614b693000-2b614b6a9000 r-xp 00000000 08:21 31449 /lib/libgcc_s.so.1
2b614b6a9000-2b614b8a8000 ---p 00016000 08:21 31449 /lib/libgcc_s.so.1
2b614b8a8000-2b614b8a9000 rw-p 00015000 08:21 31449 /lib/libgcc_s.so.1
7fff5f995000-7fff5f9aa000 rw-p 7fff5f995000 00:00 0 [stack]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vdso]
Program received signal SIGABRT, Aborted.
0x00002b614b34ffd5 in *__GI_raise (sig=<value optimized out>)
at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
(gdb) bt
#0 0x00002b614b34ffd5 in *__GI_raise (sig=<value optimized out>)
at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1 0x00002b614b351a30 in *__GI_abort () at abort.c:88
#2 0x00002b614b38aa8b in __libc_message (do_abort=2,
fmt=0x2b614b4458e8 "*** glibc detected *** %s: %s: 0x%s ***\n")
at ../sysdeps/unix/sysv/linux/libc_fatal.c:170
#3 0x00002b614b395d06 in *__GI___libc_free (mem=<value optimized out>) at malloc.c:5891
#4 0x00002b614b37329f in _IO_vfscanf_internal (s=0x7fff5f9a8f30, format=<value optimized out>,
argptr=0x7fff5f9a9050, errp=0x0) at vfscanf.c:2846
#5 0x00002b614b383c85 in _IO_vsscanf (string=0x40060c "", format=0x40060d "%as",
args=0x7fff5f9a9050) at iovsscanf.c:45
#6 0x00002b614b37e8b8 in __sscanf (s=0x476e <Address 0x476e out of bounds>,
format=0x476e <Address 0x476e out of bounds>) at sscanf.c:34
#7 0x000000000040050f in main () at scanf-bug.c:8
(gdb)
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.22-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages libc6 depends on:
ii libgcc1 1:4.3-20070930-1 GCC support library
libc6 recommends no packages.
-- debconf information:
glibc/restart-failed:
glibc/restart-services:
Reply to: