memchr: Work around memory overrun bug on AIX 7.2

Fri, 11 Dec 2020 03:20:39 -0800 

On AIX 7.2 in 32-bit mode, I see a test failure:

../../build-aux/test-driver[111]: 14156200 Segmentation fault(coredump)
FAIL: test-memchr

Investigation shows that the code accesses the second word of the
indicated memory region, even if the searched byte already occurs
in the first word of the memory region:

(gdb) disassemble memchr
Dump of assembler code for function memchr:
   ...
   0xd0141888 <+104>:   lwz     r8,0(r3)
=> 0xd014188c <+108>:   lwz     r9,4(r3)

(gdb) print (void *)$r3
$2 = (void *) 0x30002ffc

For glibc this was classified as a glibc bug
<https://sourceware.org/bugzilla/show_bug.cgi?id=10162>,
and worked around in Gnulib. The same criteria apply here.


2020-12-11  Bruno Haible  <br...@clisp.org>

        memchr: Work around memory overrun bug on AIX 7.2.
        * m4/memchr.m4 (gl_FUNC_MEMCHR): Test against AIX 7.2 bug.
        * doc/posix-functions/memchr.texi: Mention the AIX bug.

diff --git a/doc/posix-functions/memchr.texi b/doc/posix-functions/memchr.texi
index 5ceb71f..98ef20e 100644
--- a/doc/posix-functions/memchr.texi
+++ b/doc/posix-functions/memchr.texi
@@ -10,7 +10,7 @@ Portability problems fixed by Gnulib:
 @itemize
 @item
 This function dereferences too much memory on some platforms:
-glibc 2.10 on x86_64, IA-64; glibc 2.11 on Alpha.
+glibc 2.10 on x86_64, IA-64; glibc 2.11 on Alpha, AIX 7.2.
 @item
 This function returns NULL if the character argument is not in the range
 of an @code{unsigned char} on some platforms:
diff --git a/m4/memchr.m4 b/m4/memchr.m4
index 81e8f98..888d2b2 100644
--- a/m4/memchr.m4
+++ b/m4/memchr.m4
@@ -1,4 +1,4 @@
-# memchr.m4 serial 16
+# memchr.m4 serial 17
 dnl Copyright (C) 2002-2004, 2009-2020 Free Software Foundation, Inc.
 dnl This file is free software; the Free Software Foundation
 dnl gives unlimited permission to copy and/or distribute it,
@@ -59,6 +59,7 @@ AC_DEFUN_ONCE([gl_FUNC_MEMCHR],
 #endif
   if (fence)
     {
+      /* Test against bugs on glibc systems.  */
       if (memchr (fence, 0, 0))
         result |= 1;
       strcpy (fence - 9, "12345678");
@@ -66,6 +67,9 @@ AC_DEFUN_ONCE([gl_FUNC_MEMCHR],
         result |= 2;
       if (memchr (fence - 1, 0, 3) != fence - 1)
         result |= 4;
+      /* Test against bug on AIX 7.2.  */
+      if (memchr (fence - 4, '6', 16) != fence - 4)
+        result |= 8;
     }
   /* Test against bug on Android 4.3.  */
   {
@@ -74,7 +78,7 @@ AC_DEFUN_ONCE([gl_FUNC_MEMCHR],
     input[1] = 'b';
     input[2] = 'c';
     if (memchr (input, 0x789abc00 | 'b', 3) != input + 1)
-      result |= 8;
+      result |= 16;
   }
   return result;
 ]])],

Reply via email to