If xstrtol() was being called with a base of 1, under some conditions it would invoke Undefined Behavior.
Here's the code that would trigger UB:
char *end;
xstrtol(str, &end, 1, ...); // Let's ignore trailing args.
The reason why this triggers UB is that since the following line lets a
base of 1 go through:
assure (0 <= strtol_base && strtol_base <= 36);
then we arrive at this call:
tmp = __strtol (s, p, strtol_base);
which sets errno to EINVAL and returns 0 immediately, without updating
the 'p' pointer. Then, the following line of code:
if (*p == s)
dereferences an uninitialized pointer.
This was found while searching for examples of why strtol(3) is a bad
API, and how it makes it so easy to misuse.
Fixes: 034a18049cbc (2014-12-20, "assure: new module")
Link:
<https://github.com/void-linux/void-packages/issues/51261#issuecomment-2237013621>
Cc: Paul Eggert <[email protected]>
Cc: Đoàn Trần Công Danh <[email protected]>
Cc: Eli Schwartz <[email protected]>
Cc: Sam James <[email protected]>
Cc: Serge Hallyn <[email protected]>
Cc: Iker Pedrosa <[email protected]>
Cc: "Andrew J. Hesford" <[email protected]>
Cc: Michael Vetter <[email protected]>
Cc: <[email protected]>
Signed-off-by: Alejandro Colomar <[email protected]>
---
Range-diff against v0:
-: ---------- > 1: 49c4c25b0a xstrtol: 1 is not a valid base
lib/xstrtol.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/xstrtol.c b/lib/xstrtol.c
index e4bce43681..575c16d45f 100644
--- a/lib/xstrtol.c
+++ b/lib/xstrtol.c
@@ -83,7 +83,7 @@ __xstrtol (const char *s, char **ptr, int strtol_base,
__strtol_t tmp;
strtol_error err = LONGINT_OK;
- assure (0 <= strtol_base && strtol_base <= 36);
+ assure (0 == strtol_base || (2 <= strtol_base && strtol_base <= 36));
p = (ptr ? ptr : &t_ptr);
--
2.45.2
signature.asc
Description: PGP signature
