[Pkg-clamav-devel] [alpha] Segfault in memchr when called via strstr

Sun Mar 29 19:26:23 UTC 2009

Package: libc6.1
Version: 2.9-6
Severity: important

This is another one from the clamav test suite, but this time the bug is easily
reproducible in isolation (therefore important, severity might be upgraded as
well as it breaks unrelated software).

The following simple snippet causes a segfault when run with electric-fence
preloaded:

#include <string.h>

int main() {
        char * bla;
        bla = strdup("aBaaaaaaaaaaax");
        return 0!=strstr(bla, "B1x");
}

The string is somewhat special, it seems the following aspects must hold to
crash strstr (or actually memchr when called from within strstr):

- The char* must be allocated on the heap.
- The number of characters between the B and the final x must not be smaller
  than shown here.
- There must be a chance of a match (that is, the string must contain a the
  initial character of the string to be found).

Reproducing that is simple:

(sid)mt at albeniz:~/clamav-0.95+dfsg/unit_tests$ cat test.c 
#include <string.h>

int main() {
  char * bla;
  bla = strdup("aBaaaaaaaaaaax");
  return 0!=strstr(bla, "B1x");
}
(sid)mt at albeniz:~/clamav-0.95+dfsg/unit_tests$ gcc test.c ; LD_PRELOAD=/usr/lib/libefence.so ./a.out 

And gdb says:

(gdb) where
#0  0x00000200000d9470 in memchr () from /lib/libc.so.6.1
#1  0x00000200000d90c4 in *__GI_strstr (haystack_start=<value optimized out>, needle_start=<value optimized out>) at str-two-way.h:269
#2  0x00000001200005fc in main ()

There is one problem left: I'm not sure whether this is really libc's memchr or
a gcc builtin (in which case this might be a gcc bug).

Best,
Michael

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-clamav-devel/attachments/20090329/f7feee36/attachment.pgp 