[Guile-commits] 44/55: Avoid passing NULL to 'memcpy' and 'memcmp'.

guile-commits

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Guile-commits] 44/55: Avoid passing NULL to 'memcpy' and 'memcmp'.

From:	Andy Wingo
Subject:	[Guile-commits] 44/55: Avoid passing NULL to 'memcpy' and 'memcmp'.
Date:	Thu, 23 May 2019 11:52:43 -0400 (EDT)

wingo pushed a commit to branch master
in repository guile.

commit 980d8265c2dc35d6e02e540c9041cbf0975dfede
Author: Mark H Weaver <address@hidden>
Date:   Mon Apr 1 22:11:35 2019 -0400

    Avoid passing NULL to 'memcpy' and 'memcmp'.
    
    Reported by Jeffrey Walton <address@hidden> in
    <https://lists.gnu.org/archive/html/guile-devel/2019-03/msg00001.html>.
    
    Note that C11 section 7.1.4 (Use of library functions) states that:
    "unless explicitly stated otherwise in the detailed descriptions [of
    library functions] that follow: If an argument to a function has an
    invalid value (such as ... a null pointer ...) ..., the behavior is
    undefined."  Note that 'strxfrm' is an example of a standard C function
    that explicitly states otherwise, allowing NULL to be passed in the
    first argument if the size argument is zero, but no similar allowance is
    specified for 'memcpy' or 'memcmp'.
    
    * libguile/bytevectors.c (scm_uniform_array_to_bytevector): Call memcpy
    only if 'byte_len' is non-zero.
    * libguile/srfi-14.c (charsets_equal): Call memcmp only if the number of
    ranges is non-zero.
    * libguile/stime.c (setzone): Pass 1-character buffer to
    'scm_to_locale_stringbuf', instead of NULL.
    * libguile/strings.c (scm_to_locale_stringbuf): Call memcpy only if the
    number of bytes to copy is non-zero.
---
 libguile/bytevectors.c |  8 ++++++--
 libguile/srfi-14.c     | 10 +++++++---
 libguile/stime.c       |  3 ++-
 libguile/strings.c     | 11 ++++++++---
 4 files changed, 23 insertions(+), 9 deletions(-)

diff --git a/libguile/bytevectors.c b/libguile/bytevectors.c
index 6e3c950..b4dc2ea 100644
--- a/libguile/bytevectors.c
+++ b/libguile/bytevectors.c
@@ -1,4 +1,4 @@
-/* Copyright 2009-2015,2018
+/* Copyright 2009-2015,2018-2019
      Free Software Foundation, Inc.
 
    This file is part of Guile.
@@ -671,7 +671,11 @@ SCM_DEFINE (scm_uniform_array_to_bytevector, 
"uniform-array->bytevector",
     SCM_MISC_ERROR ("uniform elements larger than 8 bits must fill whole 
bytes", SCM_EOL);
 
   ret = make_bytevector (byte_len, SCM_ARRAY_ELEMENT_TYPE_VU8);
-  memcpy (SCM_BYTEVECTOR_CONTENTS (ret), elts, byte_len);
+  if (byte_len != 0)
+    /* Empty arrays may have elements == NULL.  We must avoid passing
+       NULL to memcpy, even if the length is zero, to avoid undefined
+       behavior. */
+    memcpy (SCM_BYTEVECTOR_CONTENTS (ret), elts, byte_len);
 
   scm_array_handle_release (&h);
 
diff --git a/libguile/srfi-14.c b/libguile/srfi-14.c
index 42ee85d..bbddb05 100644
--- a/libguile/srfi-14.c
+++ b/libguile/srfi-14.c
@@ -1,6 +1,4 @@
-/* srfi-14.c --- SRFI-14 procedures for Guile
-
-   Copyright 2001,2004,2006-2007,2009,2011,2018
+/* Copyright 2001,2004,2006-2007,2009,2011,2018-2019
      Free Software Foundation, Inc.
 
    This file is part of Guile.
@@ -377,6 +375,12 @@ charsets_equal (scm_t_char_set *a, scm_t_char_set *b)
   if (a->len != b->len)
     return 0;
 
+  /* Empty charsets may have ranges == NULL.  We must avoid passing
+     NULL to memcmp, even if the length is zero, to avoid undefined
+     behavior. */
+  if (a->len == 0)
+    return 1;
+
   if (memcmp (a->ranges, b->ranges, sizeof (scm_t_char_range) * a->len) != 0)
     return 0;
 
diff --git a/libguile/stime.c b/libguile/stime.c
index 2b9651c..6c17eb9 100644
--- a/libguile/stime.c
+++ b/libguile/stime.c
@@ -342,10 +342,11 @@ setzone (SCM zone, int pos, const char *subr)
   if (!SCM_UNBNDP (zone))
     {
       static char *tmpenv[2];
+      char dummy_buf[1];
       char *buf;
       size_t zone_len;
       
-      zone_len = scm_to_locale_stringbuf (zone, NULL, 0);
+      zone_len = scm_to_locale_stringbuf (zone, dummy_buf, 0);
       buf = scm_malloc (zone_len + sizeof (tzvar) + 1);
       strcpy (buf, tzvar);
       buf[sizeof(tzvar)-1] = '=';
diff --git a/libguile/strings.c b/libguile/strings.c
index a0a1555..b366f5b 100644
--- a/libguile/strings.c
+++ b/libguile/strings.c
@@ -1,4 +1,4 @@
-/* Copyright 1995-1996,1998,2000-2001,2004,2006,2008-2016,2018
+/* Copyright 1995-1996,1998,2000-2001,2004,2006,2008-2016,2018-2019
      Free Software Foundation, Inc.
 
    This file is part of Guile.
@@ -2288,13 +2288,18 @@ scm_to_stringn (SCM str, size_t *lenp, const char 
*encoding,
 size_t
 scm_to_locale_stringbuf (SCM str, char *buf, size_t max_len)
 {
-  size_t len;
+  size_t len, copy_len;
   char *result = NULL;
   if (!scm_is_string (str))
     scm_wrong_type_arg_msg (NULL, 0, str, "string");
   result = scm_to_locale_stringn (str, &len);
 
-  memcpy (buf, result, (len > max_len) ? max_len : len);
+  copy_len = (len > max_len) ? max_len : len;
+  if (copy_len != 0)
+    /* Some users of 'scm_to_locale_stringbuf' may pass NULL for buf
+       when max_len is zero, and yet we must avoid passing NULL to
+       memcpy to avoid undefined behavior. */
+    memcpy (buf, result, copy_len);
   free (result);
 
   scm_remember_upto_here_1 (str);

[Prev in Thread]

Current Thread

[Next in Thread]

[Guile-commits] 27/55: Bootstrap optimization, (continued)
- [Guile-commits] 27/55: Bootstrap optimization, Andy Wingo, 2019/05/23
- [Guile-commits] 32/55: Fix tests for SRFI-19 date->string ~N, Andy Wingo, 2019/05/23
- [Guile-commits] 33/55: Do not warn the user when 'madvise' returns ENOSYS., Andy Wingo, 2019/05/23
- [Guile-commits] 30/55: Update (ice-9 match) to include selected bug fixes from upstream., Andy Wingo, 2019/05/23
- [Guile-commits] 31/55: Support ~N in SRFI-19 string->date, Andy Wingo, 2019/05/23
- [Guile-commits] 28/55: Documentation fixes, Andy Wingo, 2019/05/23
- [Guile-commits] 42/55: Disable test for current value of setitimer on Cygwin, Andy Wingo, 2019/05/23
- [Guile-commits] 29/55: Fix spelling of ellipsis in (ice-9 match)., Andy Wingo, 2019/05/23
- [Guile-commits] 53/55: put-u8: Always write a single byte, regardless of the port encoding., Andy Wingo, 2019/05/23
- [Guile-commits] 52/55: Optimize fixnum exact integer square roots., Andy Wingo, 2019/05/23
- [Guile-commits] 44/55: Avoid passing NULL to 'memcpy' and 'memcmp'., Andy Wingo <=
- [Guile-commits] 14/55: Fix typos, indentation and error reporting in SRFI-19., Andy Wingo, 2019/05/23
- [Guile-commits] 54/55: Strings, i18n: Limit the use of alloca to approximately 8 kilobytes., Andy Wingo, 2019/05/23
- [Guile-commits] 49/55: Fix typo in comment., Andy Wingo, 2019/05/23
- [Guile-commits] 47/55: Reimplement SCM_MAKE_CHAR to evaluate its argument only once., Andy Wingo, 2019/05/23
- [Guile-commits] 51/55: Avoid 'with-latin1-locale' in binary I/O tests., Andy Wingo, 2019/05/23
- [Guile-commits] 15/55: Use 'scm_from_utf8_{string, symbol, keyword}' for C string literals., Andy Wingo, 2019/05/23
- [Guile-commits] 23/55: SRFI-19: Check for incompatible types in time comparisons., Andy Wingo, 2019/05/23
- [Guile-commits] 34/55: Don't mutate read-only string in ports test, Andy Wingo, 2019/05/23
- [Guile-commits] 36/55: Fix strftime compile with null threads, Andy Wingo, 2019/05/23
- [Guile-commits] 25/55: SRFI-19: Minor refactor of leap second table lookups., Andy Wingo, 2019/05/23

Prev by Date: [Guile-commits] 52/55: Optimize fixnum exact integer square roots.
Next by Date: [Guile-commits] 14/55: Fix typos, indentation and error reporting in SRFI-19.
Previous by thread: [Guile-commits] 52/55: Optimize fixnum exact integer square roots.
Next by thread: [Guile-commits] 14/55: Fix typos, indentation and error reporting in SRFI-19.
Index(es):
- Date
- Thread