--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: libc6: sscanf dies on an empty string if %as is used
- From: Yasushi SHOJI <yashi@atmark-techno.com>
- Date: Thu, 29 Nov 2007 20:46:04 +0900
- Message-id: <877ik1e0lf.wl@mail2.atmark-techno.com>
Package: libc6
Version: 2.7-2
Severity: normal
the following code can show you that sscanf() on empty string gets
invalid pointer if %as is used.
#include <stdio.h>
int main()
{
char *buf = "";
char *str;
sscanf (buf, "%as", &str);
printf("%s\n", str);
return 0;
}
a backtrace is below. Hope I'm not doing anything stupid.
regards,
--
yashi
(gdb) r
Starting program: /tmp/a.out
*** glibc detected *** /tmp/a.out: munmap_chunk(): invalid pointer: 0x00007fff5f9a89b0 ***
======= Backtrace: =========
/usr/lib/debug/libc.so.6(cfree+0x1b6)[0x2b614b395d06]
/usr/lib/debug/libc.so.6(_IO_vfscanf+0x239f)[0x2b614b37329f]
/usr/lib/debug/libc.so.6(vsscanf+0x75)[0x2b614b383c85]
/usr/lib/debug/libc.so.6(_IO_sscanf+0x88)[0x2b614b37e8b8]
/tmp/a.out[0x40050f]
/usr/lib/debug/libc.so.6(__libc_start_main+0xf4)[0x2b614b33c1c4]
/tmp/a.out[0x400459]
======= Memory map: ========
00400000-00401000 r-xp 00000000 08:21 1457336 /tmp/a.out
00600000-00601000 rw-p 00000000 08:21 1457336 /tmp/a.out
00601000-00622000 rw-p 00601000 00:00 0 [heap]
2b614b100000-2b614b11d000 r-xp 00000000 08:21 292480 /lib/ld-2.7.so
2b614b11d000-2b614b120000 rw-p 2b614b11d000 00:00 0
2b614b31c000-2b614b31e000 rw-p 0001c000 08:21 292480 /lib/ld-2.7.so
2b614b31e000-2b614b472000 r-xp 00000000 08:21 23996 /usr/lib/debug/libc-2.7.so
2b614b472000-2b614b672000 ---p 00154000 08:21 23996 /usr/lib/debug/libc-2.7.so
2b614b672000-2b614b676000 r--p 00154000 08:21 23996 /usr/lib/debug/libc-2.7.so
2b614b676000-2b614b677000 rw-p 00158000 08:21 23996 /usr/lib/debug/libc-2.7.so
2b614b677000-2b614b67d000 rw-p 2b614b677000 00:00 0
2b614b693000-2b614b6a9000 r-xp 00000000 08:21 31449 /lib/libgcc_s.so.1
2b614b6a9000-2b614b8a8000 ---p 00016000 08:21 31449 /lib/libgcc_s.so.1
2b614b8a8000-2b614b8a9000 rw-p 00015000 08:21 31449 /lib/libgcc_s.so.1
7fff5f995000-7fff5f9aa000 rw-p 7fff5f995000 00:00 0 [stack]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vdso]
Program received signal SIGABRT, Aborted.
0x00002b614b34ffd5 in *__GI_raise (sig=<value optimized out>)
at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
(gdb) bt
#0 0x00002b614b34ffd5 in *__GI_raise (sig=<value optimized out>)
at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1 0x00002b614b351a30 in *__GI_abort () at abort.c:88
#2 0x00002b614b38aa8b in __libc_message (do_abort=2,
fmt=0x2b614b4458e8 "*** glibc detected *** %s: %s: 0x%s ***\n")
at ../sysdeps/unix/sysv/linux/libc_fatal.c:170
#3 0x00002b614b395d06 in *__GI___libc_free (mem=<value optimized out>) at malloc.c:5891
#4 0x00002b614b37329f in _IO_vfscanf_internal (s=0x7fff5f9a8f30, format=<value optimized out>,
argptr=0x7fff5f9a9050, errp=0x0) at vfscanf.c:2846
#5 0x00002b614b383c85 in _IO_vsscanf (string=0x40060c "", format=0x40060d "%as",
args=0x7fff5f9a9050) at iovsscanf.c:45
#6 0x00002b614b37e8b8 in __sscanf (s=0x476e <Address 0x476e out of bounds>,
format=0x476e <Address 0x476e out of bounds>) at sscanf.c:34
#7 0x000000000040050f in main () at scanf-bug.c:8
(gdb)
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.22-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages libc6 depends on:
ii libgcc1 1:4.3-20070930-1 GCC support library
libc6 recommends no packages.
-- debconf information:
glibc/restart-failed:
glibc/restart-services:
--- End Message ---
--- Begin Message ---
Source: glibc
Source-Version: 2.7-5
We believe that the bug you reported is fixed in the latest version of
glibc, which is due to be installed in the Debian FTP archive:
glibc-doc_2.7-5_all.deb
to pool/main/g/glibc/glibc-doc_2.7-5_all.deb
glibc_2.7-5.diff.gz
to pool/main/g/glibc/glibc_2.7-5.diff.gz
glibc_2.7-5.dsc
to pool/main/g/glibc/glibc_2.7-5.dsc
libc6-dbg_2.7-5_amd64.deb
to pool/main/g/glibc/libc6-dbg_2.7-5_amd64.deb
libc6-dev-i386_2.7-5_amd64.deb
to pool/main/g/glibc/libc6-dev-i386_2.7-5_amd64.deb
libc6-dev_2.7-5_amd64.deb
to pool/main/g/glibc/libc6-dev_2.7-5_amd64.deb
libc6-i386_2.7-5_amd64.deb
to pool/main/g/glibc/libc6-i386_2.7-5_amd64.deb
libc6-pic_2.7-5_amd64.deb
to pool/main/g/glibc/libc6-pic_2.7-5_amd64.deb
libc6-prof_2.7-5_amd64.deb
to pool/main/g/glibc/libc6-prof_2.7-5_amd64.deb
libc6-udeb_2.7-5_amd64.udeb
to pool/main/g/glibc/libc6-udeb_2.7-5_amd64.udeb
libc6_2.7-5_amd64.deb
to pool/main/g/glibc/libc6_2.7-5_amd64.deb
libnss-dns-udeb_2.7-5_amd64.udeb
to pool/main/g/glibc/libnss-dns-udeb_2.7-5_amd64.udeb
libnss-files-udeb_2.7-5_amd64.udeb
to pool/main/g/glibc/libnss-files-udeb_2.7-5_amd64.udeb
locales-all_2.7-5_amd64.deb
to pool/main/g/glibc/locales-all_2.7-5_amd64.deb
locales_2.7-5_all.deb
to pool/main/g/glibc/locales_2.7-5_all.deb
nscd_2.7-5_amd64.deb
to pool/main/g/glibc/nscd_2.7-5_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 453408@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Aurelien Jarno <aurel32@debian.org> (supplier of updated glibc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 19 Dec 2007 01:22:06 +0100
Source: glibc
Binary: libc0.1-prof libc6.1-alphaev67 libc6-dev-amd64 locales-all libc6-i686 libc6-dev-ppc64 libc0.3-pic glibc-doc libc0.3 libc6-dev-mipsn32 libc0.1-i686 libc0.1-i386 libc6-mips64 libc6.1-dev libc6-s390x libnss-files-udeb libc0.1-dev-i386 libc6-dev-sparc64 libc6-i386 libc0.3-dev libc6-udeb libc6-dbg libc6.1-pic libc6-dev libc0.3-prof libc0.1-udeb libc6-dev-i386 libc6.1-prof libc6-mipsn32 libc0.1-dev locales libc6-pic libc0.3-udeb libc6-dev-powerpc libc0.1-pic libc6-ppc64 libc0.3-dbg libc0.1-dbg libc6-amd64 libc0.1 libc6-prof libc6-xen libc6-dev-mips64 libc6-powerpc libc6 libc6-sparcv9b libc6.1-udeb libc6.1-dbg nscd libc6-sparc64 libnss-dns-udeb libc6.1 libc6-dev-s390x
Architecture: source amd64 all
Version: 2.7-5
Distribution: unstable
Urgency: low
Maintainer: Aurelien Jarno <aurel32@debian.org>
Changed-By: Aurelien Jarno <aurel32@debian.org>
Description:
glibc-doc - GNU C Library: Documentation
libc6 - GNU C Library: Shared libraries
libc6-dbg - GNU C Library: Libraries with debugging symbols
libc6-dev - GNU C Library: Development Libraries and Header Files
libc6-dev-i386 - GNU C Library: 32bit development libraries for AMD64
libc6-i386 - GNU C Library: 32bit shared libraries for AMD64
libc6-pic - GNU C Library: PIC archive library
libc6-prof - GNU C Library: Profiling Libraries
libc6-udeb - GNU C Library: Shared libraries - udeb (udeb)
libnss-dns-udeb - GNU C Library: NSS helper for DNS - udeb (udeb)
libnss-files-udeb - GNU C Library: NSS helper for files - udeb (udeb)
locales - GNU C Library: National Language (locale) data [support]
locales-all - GNU C Library: Precompiled locale data
nscd - GNU C Library: Name Service Cache Daemon
Closes: 453408 453899 455603 455783 456260 456779
Changes:
glibc (2.7-5) unstable; urgency=low
.
[ Aurelien Jarno ]
* Moved merged parts of patches/any/submitted-sched_h.diff into
patches/any/cvs-sched_h.diff.
* patches/any/cvs-ether_line.diff: new patch from upstream to fix
ether_line(). Closes: bug#453899.
* patches/any/cvs-vfscanf.diff: new patch from upstream to fix
crash when %as is used with sscanf(). Closes: bug#453408.
* debian/rules: also set CXX when cross-compiling.
* patches/any/submitted-malloc_h.diff: removed, replaced by
patches/any/cvs-wchar_h.diff.
* debian/sysdeps/depflags.pl: conflict against tzdata (<< 2007j-2) as
etch now have version 2007j-1etch1. Closes: bug#455783.
* debian/sysdeps/depflags.pl: suggests libc6-i686 on i386 architecture.
Closes: bug#455603.
* any/submitted-rfc3484-labels.diff: new patch to fix RFC 3484 default
label ordering. Closes: bug#456779.
* patches/alpha/local-dl-procinfo.diff: add missing part. Closes:
bug#456260.
.
[ Petr Salinger]
* kfreebsd/local-sysdeps.diff: update to revision 2082 (from glibc-bsd).
* any/cvs-fchmodat.diff: properly declare as stub - needed by GNU/kFreeBSD.
.
[ Samuel Thibault]
* patches/hurd-i386/submitted-ioctl-unsigned-size_t.diff: update to also
handle unsigned char/int/short/long and ssize_t.
Files:
361dd96941a59f2aef46bb9ad9ba3ee6 2072 libs required glibc_2.7-5.dsc
0011d41ff261625c1754af61040c64a3 675390 libs required glibc_2.7-5.diff.gz
975f3462f7d8774f2a81aaa8c0fc60f5 1623962 doc optional glibc-doc_2.7-5_all.deb
5abfe8de9c1edaffc49e5273a0cfb321 4486002 libs standard locales_2.7-5_all.deb
2d70d766d5c721c3486071635344e263 4992748 libs required libc6_2.7-5_amd64.deb
ebf51cbd7a6f29c0a2fadf2a98469218 2530166 libdevel optional libc6-dev_2.7-5_amd64.deb
884738826550a7bbe3e80ec562e94bff 1961766 libdevel extra libc6-prof_2.7-5_amd64.deb
77a6841b1962ed27e3a453d93048d889 1481630 libdevel optional libc6-pic_2.7-5_amd64.deb
541ac14a7f00ef0916e5f2be5ab12444 2730022 libs extra locales-all_2.7-5_amd64.deb
398e6f6a56d4398bc55aabb3cebc5054 3735604 libs optional libc6-i386_2.7-5_amd64.deb
7f8d5b40c4cb1cafb43177a9fe062d28 1430482 libdevel optional libc6-dev-i386_2.7-5_amd64.deb
5265a7d9c9b0ac1edb308ddfeb1cc2f6 170498 admin optional nscd_2.7-5_amd64.deb
a5b657ed998b8f9bd43cc5ff24f06a6e 5317476 libdevel extra libc6-dbg_2.7-5_amd64.deb
8c903d8677e3829c7237ca50e61e6be0 1129200 debian-installer extra libc6-udeb_2.7-5_amd64.udeb
d7d190f4ef4276a128f3360588248c70 9744 debian-installer extra libnss-dns-udeb_2.7-5_amd64.udeb
88126b6ec721be6fb1b377019fd5e068 18012 debian-installer extra libnss-files-udeb_2.7-5_amd64.udeb
Package-Type: udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHaVGJw3ao2vG823MRAls+AJ9FC6Kzv1jK5rSRnESBR6O2yeppyACeP7Pt
4djm+On05Bb5rZJRIXAAgS8=
=HVLP
-----END PGP SIGNATURE-----
--- End Message ---