Bug#728953: strtod: Valgrind reports invalid read when first char is 'n' (in the x86_64 version)

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#728953: strtod: Valgrind reports invalid read when first char is 'n' (in the x86_64 version)
From: "Boris D. Carlsson" <boris.d.carlsson@gmail.com>
Date: Thu, 07 Nov 2013 11:07:00 +0100
Message-id: <[🔎] 20131107100700.22992.2577.reportbug@celsius0.fy.chalmers.se>
Reply-to: "Boris D. Carlsson" <boris.d.carlsson@gmail.com>, 728953@bugs.debian.org

Package: libc6
Version: 2.13-38
Severity: minor

When strtod receives a string starting with 'n', it will read 16
bytes regardless of the actual length of the string sent.

Example:

$ echo "#include <stdlib.h>
int main() {
    char buf[] = "no";
    strtod(buf, NULL);
}
" > main.c
$ gcc main.c
$ LD_DEBUG=bindings ./a.out 2>&1 | grep strtod
25988:     binding file ./a.out [0] to
           /lib/x86_64-linux-gnu/libc.so.6 [0]:
           normal symbol `strtod' [GLIBC_2.2.5]
$ valgrind --track-origins=yes ./a.out
==123== Memcheck, a memory error detector
==123== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==123== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==123== Command: ./a.out
==123==
==123== Conditional jump or move depends on uninitialised value(s)
==123==    at 0x4EB5C71: __GI___strncasecmp_l (strcmp.S:243)
==123==    by 0x4E6B2F3: ____strtod_l_internal (strtod_l.c:585)
==123==    by 0x40052E: main (in /net/home/borisc/test/a.out)
==123==  Uninitialised value was created by a stack allocation
==123==    at 0x40050C: main (in /net/home/borisc/test/a.out)
==123==
==123== Conditional jump or move depends on uninitialised value(s)
==123==    at 0x4EB8197: __GI___strncasecmp_l (strcmp.S:2255)
==123==    by 0x4E6B2F3: ____strtod_l_internal (strtod_l.c:585)
==123==    by 0x40052E: main (in /net/home/borisc/test/a.out)
==123==  Uninitialised value was created by a stack allocation
==123==    at 0x40050C: main (in /net/home/borisc/test/a.out)
==123==
==123== Use of uninitialised value of size 8
==123==    at 0x4EB8199: __GI___strncasecmp_l (strcmp.S:2257)
==123==    by 0x4E6B2F3: ____strtod_l_internal (strtod_l.c:585)
==123==    by 0x40052E: main (in /net/home/borisc/test/a.out)
==123==  Uninitialised value was created by a stack allocation
==123==    at 0x40050C: main (in /net/home/borisc/test/a.out)
==123==
==123== Use of uninitialised value of size 8
==123==    at 0x4EB819D: __GI___strncasecmp_l (strcmp.S:2258)
==123==    by 0x4E6B2F3: ____strtod_l_internal (strtod_l.c:585)
==123==    by 0x40052E: main (in /net/home/borisc/test/a.out)
==123==  Uninitialised value was created by a stack allocation
==123==    at 0x40050C: main (in /net/home/borisc/test/a.out)
==123==
==123==
==123== HEAP SUMMARY:
==123==     in use at exit: 0 bytes in 0 blocks
==123==   total heap usage: 0 allocs, 0 frees, 0 bytes allocated
==123==
==123== All heap blocks were freed -- no leaks are possible
==123==
==123== For counts of detected and suppressed errors, rerun with: -v
==123== ERROR SUMMARY: 4 errors from 4 contexts (suppressed: 4 from 4)
$ gcc -v
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/4.7/lto-wrapper
Target: x86_64-linux-gnu
Configured with: ../src/configure -v --with-pkgversion='Debian 4.7.2-5'
--with-bugurl=file:///usr/share/doc/gcc-4.7/README.Bugs
--enable-languages=c,c++,go,fortran,objc,obj-c++ --prefix=/usr
--program-suffix=-4.7 --enable-shared --enable-linker-build-id
--with-system-zlib --libexecdir=/usr/lib --without-included-gettext
--enable-threads=posix --with-gxx-include-dir=/usr/include/c++/4.7
--libdir=/usr/lib --enable-nls --with-sysroot=/ --enable-clocale=gnu
--enable-libstdcxx-debug --enable-libstdcxx-time=yes
--enable-gnu-unique-object --enable-plugin --enable-objc-gc
--with-arch-32=i586 --with-tune=generic --enable-checking=release
--build=x86_64-linux-gnu --host=x86_64-linux-gnu
--target=x86_64-linux-gnu
Thread model: posix
gcc version 4.7.2 (Debian 4.7.2-5)

-- System Information:
Debian Release: 7.2
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.8-trunk-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libc6 depends on:
ii  libc-bin  2.13-38
ii  libgcc1   1:4.7.2-5

libc6 recommends no packages.

Versions of packages libc6 suggests:
ii  debconf [debconf-2.0]  1.5.49
pn  glibc-doc              <none>
ii  locales                2.13-38

-- debconf information:
  glibc/upgrade: true
  glibc/disable-screensaver:
  glibc/restart-failed:
  glibc/restart-services:
  libraries/restart-without-asking: false

Reply to:

Prev by Date: Direkt vom Baum auf Ihren Tisch in unter 48 Stunden
Next by Date: Re: hurd glibc upload?
Previous by thread: Direkt vom Baum auf Ihren Tisch in unter 48 Stunden
Next by thread: Re: hurd glibc upload?
Index(es):
- Date
- Thread