diff options
| author | Noah Goldstein <goldstein.w.n@gmail.com> | 2021-06-09 16:17:14 -0400 |
|---|---|---|
| committer | Noah Goldstein <goldstein.w.n@gmail.com> | 2021-06-23 14:13:00 -0400 |
| commit | da5a6fba0febbfc90896ce1b2eb75c6d8a88a72d (patch) | |
| tree | b0b24fa0d148725804d45f3204c985243d38d526 /string/test-strncat.c | |
| parent | 6f573a27b6c8b4236445810a44660612323f5a73 (diff) | |
| download | glibc-da5a6fba0febbfc90896ce1b2eb75c6d8a88a72d.tar.gz glibc-da5a6fba0febbfc90896ce1b2eb75c6d8a88a72d.tar.xz glibc-da5a6fba0febbfc90896ce1b2eb75c6d8a88a72d.zip | |
String: Add overflow tests for strnlen, memchr, and strncat [BZ #27974]
This commit adds tests for a bug in the wide char variant of the functions where the implementation may assume that maxlen for wcsnlen or n for wmemchr/strncat will not overflow when multiplied by sizeof(wchar_t). These tests show the following implementations failing on x86_64: wcsnlen-sse4_1 wcsnlen-avx2 wmemchr-sse2 wmemchr-avx2 strncat would fail as well if it where on a system that prefered either of the wcsnlen implementations that failed as it relies on wcsnlen. Signed-off-by: Noah Goldstein <goldstein.w.n@gmail.com> Reviewed-by: H.J. Lu <hjl.tools@gmail.com>
Diffstat (limited to 'string/test-strncat.c')
| -rw-r--r-- | string/test-strncat.c | 61 |
1 files changed, 61 insertions, 0 deletions
diff --git a/string/test-strncat.c b/string/test-strncat.c index 2ef917b820..37ea26ea05 100644 --- a/string/test-strncat.c +++ b/string/test-strncat.c @@ -135,6 +135,66 @@ do_test (size_t align1, size_t align2, size_t len1, size_t len2, } static void +do_overflow_tests (void) +{ + size_t i, j, len; + const size_t one = 1; + CHAR *s1, *s2; + uintptr_t s1_addr; + s1 = (CHAR *) buf1; + s2 = (CHAR *) buf2; + s1_addr = (uintptr_t)s1; + for (j = 0; j < 200; ++j) + s2[j] = 32 + 23 * j % (BIG_CHAR - 32); + s2[200] = 0; + for (i = 0; i < 750; ++i) { + for (j = 0; j < i; ++j) + s1[j] = 32 + 23 * j % (BIG_CHAR - 32); + s1[i] = '\0'; + + FOR_EACH_IMPL (impl, 0) + { + s2[200] = '\0'; + do_one_test (impl, s2, s1, SIZE_MAX - i); + s2[200] = '\0'; + do_one_test (impl, s2, s1, i - s1_addr); + s2[200] = '\0'; + do_one_test (impl, s2, s1, -s1_addr - i); + s2[200] = '\0'; + do_one_test (impl, s2, s1, SIZE_MAX - s1_addr - i); + s2[200] = '\0'; + do_one_test (impl, s2, s1, SIZE_MAX - s1_addr + i); + } + + len = 0; + for (j = 8 * sizeof(size_t) - 1; j ; --j) + { + len |= one << j; + FOR_EACH_IMPL (impl, 0) + { + s2[200] = '\0'; + do_one_test (impl, s2, s1, len - i); + s2[200] = '\0'; + do_one_test (impl, s2, s1, len + i); + s2[200] = '\0'; + do_one_test (impl, s2, s1, len - s1_addr - i); + s2[200] = '\0'; + do_one_test (impl, s2, s1, len - s1_addr + i); + + s2[200] = '\0'; + do_one_test (impl, s2, s1, ~len - i); + s2[200] = '\0'; + do_one_test (impl, s2, s1, ~len + i); + s2[200] = '\0'; + do_one_test (impl, s2, s1, ~len - s1_addr - i); + s2[200] = '\0'; + do_one_test (impl, s2, s1, ~len - s1_addr + i); + } + } + } +} + +static void do_random_tests (void) { size_t i, j, n, align1, align2, len1, len2, N; @@ -316,6 +376,7 @@ test_main (void) } do_random_tests (); + do_overflow_tests (); return ret; } |