Date: Sat, 21 Apr 2012 17:05:54 +1000 From: Peter Jeremy <peterjeremy@acm.org> To: David Schultz <das@FreeBSD.org> Cc: svn-src-head@FreeBSD.org, svn-src-all@FreeBSD.org, src-committers@FreeBSD.org Subject: Re: svn commit: r234528 - head/lib/libc/stdio Message-ID: <20120421070554.GA59737@server.vk2pj.dyndns.org> In-Reply-To: <201204210608.q3L682O3074354@svn.freebsd.org> References: <201204210608.q3L682O3074354@svn.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--YiEDa0DAkWCtVeE4 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2012-Apr-21 06:08:02 +0000, David Schultz <das@FreeBSD.org> wrote: >Log: > Fix a bug introduced in r187302 that was causing fputws() to enter an > infinite loop pretty much unconditionally. Unfortunately, I suspect you've just turned an unconditional infinite loop into a conditional one. There's still a "wsp =3D ws;" inside the loop so if you pass in a long string (one that exceeds BUFSIZ bytes when converted to a multi-byte string) then wsp will be non-NULL after the call to __wcsnrtombs(), causing the do loop to loop and then wsp will be re-initialised to ws. I think the fix is to move the "wsp =3D ws;" outside the loop. > It's remarkable that the > patch that introduced the bug was never tested, but even more > remarkable that nobody noticed for over two years. It took me a while to work out that the problem was libc and not my code. --=20 Peter Jeremy --YiEDa0DAkWCtVeE4 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) iEYEARECAAYFAk+SXFIACgkQ/opHv/APuIfg7ACglm8HpS2PB9NBPXBg6zPNTXKM x9wAn0yVKQOYkI0vIAnr4TOnjWY5eTOR =GwXX -----END PGP SIGNATURE----- --YiEDa0DAkWCtVeE4--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120421070554.GA59737>