Misuse of ctype(3) functions/macros
riastradh opened this issue · comments
The C standard definition of the <ctype.h> functions, such as isspace, isalpha, isdigit, &c., says:
In all cases the argument is an int, the value of which shall be representable as an unsigned char or shall equal the value of the macro EOF. If the argument has any other value, the behavior is undefined.
This is because they're designed to work with the int values returned by getc or fgetc; they need extra work to handle a char value, for instance when processing a string stored in a char array.
If EOF is -1 (as it almost always is), with 8-bit bytes, the allowed inputs to the ctype(3) functions are:
{-1, 0, 1, 2, 3, ..., 255}.
However, on platforms where char is signed, such as x86 with the usual ABI, code like
char *ptr = ...;
... isspace(*ptr) ...
may pass in values in the range:
{-128, -127, -126, ..., -2, -1, 0, 1, ..., 127}.
This has two problems:
-
Inputs in the set {-128, -127, -126, ..., -2} are forbidden.
-
The non-EOF byte 0xff is conflated with the value EOF = -1, so even though the input is not forbidden, it may give the wrong answer.
Casting char to unsigned int first before passing the result to ctype(3) doesn't help: inputs like -128 are unchanged by this cast, because (on a two's-complement machine with 32-bit int and unsigned int), converting the signed char with integer value -128 to unsigned int gives integer value 2^32 - 128 = 0xffffff80, which is out of range, and which is converted in int back to -128, which is also out of range.
It is necessary to cast char inputs to unsigned char first; you can then cast to unsigned int if you like but there's no need because the functions will always convert the argument to int by definition. So the above fragment needs to be:
char *ptr = ...;
... isspace((unsigned char)*ptr) ...
When I run pkgconf on the following pkgconfig file, it crashes with SIGSEGV:
Name: Escape
Version: 4.2.0
Description: Escape utility library
Libs: -Llink\ path\ with\ spaces
Cflags: -Iinclude\ path\ with\ spaces -DA=\"escaped\ string\'\ literal\" -DB=ESCAPED\ IDENTIFIER -DFOX=🦊
gdb shows:
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x0000703e17c0bb80 in pkgconf_parser_parse (f=f@entry=0x703e179ca040,
data=data@entry=0x703e17e21000, ops=ops@entry=0x703e17e0fae0,
warnfunc=warnfunc@entry=0x703e17c05237 <pkg_warn_func>,
filename=filename@entry=0x703e17e2d080 "/home/riastradh/rust/pkg-config/main/tests/escape.pc") at libpkgconf/parser.c:88
88 while (*p && isspace((unsigned int) *p) && p > value)
(gdb) print p
$1 = 0x7f7fff25c3ea "\212"
(gdb) print value
$2 = 0x7f7fff25c388 "-Iinclude\\ path\\ with\\ spaces -DA=\\\"escaped\\ string\\'\\ literal\\\" -DB=ESCAPED\\ IDENTIFIER -DFOX=�\237\246\212"
(gdb) x/100xb value
0x7f7fff25c388: 0x2d 0x49 0x69 0x6e 0x63 0x6c 0x75 0x64
0x7f7fff25c390: 0x65 0x5c 0x20 0x70 0x61 0x74 0x68 0x5c
0x7f7fff25c398: 0x20 0x77 0x69 0x74 0x68 0x5c 0x20 0x73
0x7f7fff25c3a0: 0x70 0x61 0x63 0x65 0x73 0x20 0x2d 0x44
0x7f7fff25c3a8: 0x41 0x3d 0x5c 0x22 0x65 0x73 0x63 0x61
0x7f7fff25c3b0: 0x70 0x65 0x64 0x5c 0x20 0x73 0x74 0x72
0x7f7fff25c3b8: 0x69 0x6e 0x67 0x5c 0x27 0x5c 0x20 0x6c
0x7f7fff25c3c0: 0x69 0x74 0x65 0x72 0x61 0x6c 0x5c 0x22
0x7f7fff25c3c8: 0x20 0x2d 0x44 0x42 0x3d 0x45 0x53 0x43
0x7f7fff25c3d0: 0x41 0x50 0x45 0x44 0x5c 0x20 0x49 0x44
0x7f7fff25c3d8: 0x45 0x4e 0x54 0x49 0x46 0x49 0x45 0x52
0x7f7fff25c3e0: 0x20 0x2d 0x44 0x46 0x4f 0x58 0x3d 0xf0
0x7f7fff25c3e8: 0x9f 0xa6 0x8a 0x00
(gdb) print (int)(unsigned int)*p
$3 = -118
This pkg-config file came from the test suite of pkg-config-rs, at https://github.com/rust-lang/pkg-config-rs/blob/d039d32155fc3afec9867aa66c29747cbd6f95e5/tests/escape.pc. One might debate whether putting anything outside the US-ASCII range in a pkg-config file is a good idea, but I don't think pkgconf should crash when you do.
Fixed in pending 1.9.5, thanks!