From owner-freebsd-bugs@FreeBSD.ORG  Tue May 27 03:02:14 2003
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 2CB4B37B401; Tue, 27 May 2003 03:02:14 -0700 (PDT)
Received: from mailman.zeta.org.au (mailman.zeta.org.au [203.26.10.16])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id B843843FAF; Tue, 27 May 2003 03:02:12 -0700 (PDT)
	(envelope-from bde@zeta.org.au)
Received: from katana.zip.com.au (katana.zip.com.au [61.8.7.246])
	by mailman.zeta.org.au (8.9.3p2/8.8.7) with ESMTP id UAA13824;
	Tue, 27 May 2003 20:02:01 +1000
Date: Tue, 27 May 2003 20:02:00 +1000 (EST)
From: Bruce Evans <bde@zeta.org.au>
X-X-Sender: bde@gamplex.bde.org
To: Seva Gluschenko <gvs@rinet.ru>
In-Reply-To: <20030527121942.W33922@road.demos.su>
Message-ID: <20030527194116.V1802@gamplex.bde.org>
References: <200305262053.h4QKr3GB026031@freefall.freebsd.org>
 <20030527121942.W33922@road.demos.su>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
cc: freebsd-bugs@freebsd.org
cc: Dag-Erling Smorgrav <des@freebsd.org>
Subject: Re: bin/52691: str[n][case]cmp may cause segmentation violationwith
 NULL pointers passed
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 27 May 2003 10:02:14 -0000

On Tue, 27 May 2003, Seva Gluschenko wrote:

> Message of Dag-Erling Smorgrav at May 26 13:53 ...
>
> DS> Synopsis: str[n][case]cmp may cause segmentation violation with NULL pointers passed
> DS>
> DS> State-Changed-From-To: open->closed
> DS> State-Changed-By: des
> DS> State-Changed-When: Mon May 26 13:53:02 PDT 2003
> DS> State-Changed-Why:
> DS> The bug is in the application that passes NULL to strcmp.
>
> Well, sir, can you please quote me some ISO C89 or another standard
> which allows str*cmp not to care about NULL pointers?

>From n869.txt (a text version of a draft of C99):

%%%
       7.21  String handling <string.h>

       7.21.1  String function conventions

       [#1] The header <string.h> declares  one  type  and  several
       functions,  and  defines  one  macro useful for manipulating
       arrays of character type and other objects treated as arrays
       of  character type.245)  The type is size_t and the macro is
       NULL (both described in 7.17).  Various methods are used for
       determining  the  lengths  of the arrays, but in all cases a
       char * or void * argument  points  to  the  initial  (lowest
       addressed)  character of the array.  [...]
%%%

NULL doesn't point to an object, so the behavior is undefined (even
for the mem* functions with a count of 0).

Also, the str* functions take args that are are pointers to the
first element of a string; a string is a '\0'-terminated array of
char; it is an object so the pointer to the first element of it
cannot be NULL.

I couldn't find where the standard explicitly defines "string".  In
7.21.1, it carefully avoids saying "string" since it wants to
permit the possibly-non-'\0'-terminated arrays of char that are
handled by the mem* functions.

Bruce