GNU bug report logs -
#41850
[PATCH] maint: Avoid signed integer overflows
Previous Next
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 41850 in the body.
You can then email your comments to 41850 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-coreutils <at> gnu.org:
bug#41850; Package
coreutils.
(Sun, 14 Jun 2020 12:48:01 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Tobias Stoeckmann <tobias <at> stoeckmann.org>:
New bug report received and forwarded. Copy sent to
bug-coreutils <at> gnu.org.
(Sun, 14 Jun 2020 12:48:01 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
Since -LONG_MIN results in LONG_MIN again, the operation itself is
a signed integer overflow.
This can be observed with the following calls (best if compiled
with -ftrapv or -fsanitize=undefined):
$ numfmt --padding=-9223372036854775808
$ seq 1e-9223372036854775808
Technically, the change in seq "reduces" the precision, but a double
or long double that small would be represented as 0 anyway.
---
src/numfmt.c | 2 +-
src/seq.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/numfmt.c b/src/numfmt.c
index 8869791b0..8871a8c01 100644
--- a/src/numfmt.c
+++ b/src/numfmt.c
@@ -1496,7 +1496,7 @@ main (int argc, char **argv)
case PADDING_OPTION:
if (xstrtol (optarg, NULL, 10, &padding_width, "") != LONGINT_OK
- || padding_width == 0)
+ || padding_width == 0 || padding_width < -LONG_MAX)
die (EXIT_FAILURE, 0, _("invalid padding value %s"),
quote (optarg));
if (padding_width < 0)
diff --git a/src/seq.c b/src/seq.c
index ddb63b642..2ca1e4f7b 100644
--- a/src/seq.c
+++ b/src/seq.c
@@ -197,7 +197,7 @@ scan_arg (const char *arg)
e = strchr (arg, 'E');
if (e)
{
- long exponent = strtol (e + 1, NULL, 10);
+ long exponent = MAX (strtol (e + 1, NULL, 10), -LONG_MAX);
ret.precision += exponent < 0 ? -exponent
: - MIN (ret.precision, exponent);
/* Don't account for e.... in the width since this is not output. */
--
2.27.0
Information forwarded
to
bug-coreutils <at> gnu.org:
bug#41850; Package
coreutils.
(Mon, 15 Jun 2020 22:13:01 GMT)
Full text and
rfc822 format available.
Message #8 received at 41850 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On 14/06/2020 13:47, Tobias Stoeckmann wrote:
> Since -LONG_MIN results in LONG_MIN again, the operation itself is
> a signed integer overflow.
>
> This can be observed with the following calls (best if compiled
> with -ftrapv or -fsanitize=undefined):
>
> $ numfmt --padding=-9223372036854775808
> $ seq 1e-9223372036854775808
>
> Technically, the change in seq "reduces" the precision, but a double
> or long double that small would be represented as 0 anyway.
Thanks for fixing those -fsanitize=undefined issues.
I can confirm with GCC 10 -fsanitize=undefined was giving:
src/numfmt.c:1505:31: runtime error:
negation of -9223372036854775808 cannot be represented in type 'long int'
How did you notice BTW. This wasn't exposed in existing tests.
I've updated your patch (attached) to add tests for this.
cheers,
Pádraig
[numfmt-seq-ubsan.patch (text/x-patch, attachment)]
Information forwarded
to
bug-coreutils <at> gnu.org:
bug#41850; Package
coreutils.
(Tue, 16 Jun 2020 06:33:01 GMT)
Full text and
rfc822 format available.
Message #11 received at 41850 <at> debbugs.gnu.org (full text, mbox):
On 2020-06-16 00:11, Pádraig Brady wrote:
> I've updated your patch (attached) to add tests for this.
nice, thanks.
Have a nice day,
Berny
Information forwarded
to
bug-coreutils <at> gnu.org:
bug#41850; Package
coreutils.
(Wed, 17 Jun 2020 18:16:02 GMT)
Full text and
rfc822 format available.
Message #14 received at 41850 <at> debbugs.gnu.org (full text, mbox):
Hi,
On Mon, Jun 15, 2020 at 11:11:57PM +0100, Pádraig Brady wrote:
> How did you notice BTW. This wasn't exposed in existing tests.
it was a manual code review.
I like coreutils for having such a high quality and its goal of being as
portable as possible. The former means that it's challenging and
educational to find bugs or standard violations and the latter that
fixes have a high change of being accepted. Last but not least, small
programs make it easy to trigger issues with a simple call for easy
reproducability.
> I've updated your patch (attached) to add tests for this.
Thanks, the test suite looks nice.
Tobias
bug closed, send any further explanations to
41850 <at> debbugs.gnu.org and Tobias Stoeckmann <tobias <at> stoeckmann.org>
Request was from
Paul Eggert <eggert <at> cs.ucla.edu>
to
control <at> debbugs.gnu.org.
(Fri, 28 Jan 2022 01:29:01 GMT)
Full text and
rfc822 format available.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Fri, 25 Feb 2022 12:24:09 GMT)
Full text and
rfc822 format available.
This bug report was last modified 2 years and 61 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.