Date: Thu, 21 Apr 2016 03:57:09 +0300 From: Andrey Chernov <ache@freebsd.org> To: Baptiste Daroussin <bapt@FreeBSD.org>, src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r298367 - head/lib/libc/locale Message-ID: <a2485516-9b18-6323-934d-45ed915b52ff@freebsd.org> In-Reply-To: <201604202044.u3KKiUMq081452@repo.freebsd.org> References: <201604202044.u3KKiUMq081452@repo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 20.04.2016 23:44, Baptiste Daroussin wrote: > Author: bapt > Date: Wed Apr 20 20:44:30 2016 > New Revision: 298367 > URL: https://svnweb.freebsd.org/changeset/base/298367 > > Log: > Check the returned value of memchr(3) before using it > > Reported by: Coverity > CID: 1338530 > > Modified: > head/lib/libc/locale/ascii.c > > Modified: head/lib/libc/locale/ascii.c > ============================================================================== > --- head/lib/libc/locale/ascii.c Wed Apr 20 20:43:05 2016 (r298366) > +++ head/lib/libc/locale/ascii.c Wed Apr 20 20:44:30 2016 (r298367) > @@ -133,11 +133,14 @@ _ascii_mbsnrtowcs(wchar_t * __restrict d > > if (dst == NULL) { > s = memchr(*src, '\0', nms); > + if (s == NULL) > + return (nms); > + > if (*s & 0x80) { > errno = EILSEQ; > return ((size_t)-1); > } > - return (s != NULL ? s - *src : nms); > + return (s - *src); > } > > s = *src; > The whole code is incorrect, only the very first char is checked, there must be a loop like in -stable: if (dst == NULL) { for (s = *src; nms > 0 && *s != '\0'; s++, nms--) { if (*s & 0x80) { errno = EILSEQ; return ((size_t)-1); } } return (s - *src); } Since svn history is lost on deleting, I don't know why incorrect version was committed.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?a2485516-9b18-6323-934d-45ed915b52ff>