bin/52691: str[n][case]cmp may cause segmentation violationwith NULL pointers passed

Bruce Evans bde at zeta.org.au
Tue May 27 03:02:14 PDT 2003


On Tue, 27 May 2003, Seva Gluschenko wrote:

> Message of Dag-Erling Smorgrav at May 26 13:53 ...
>
> DS> Synopsis: str[n][case]cmp may cause segmentation violation with NULL pointers passed
> DS>
> DS> State-Changed-From-To: open->closed
> DS> State-Changed-By: des
> DS> State-Changed-When: Mon May 26 13:53:02 PDT 2003
> DS> State-Changed-Why:
> DS> The bug is in the application that passes NULL to strcmp.
>
> Well, sir, can you please quote me some ISO C89 or another standard
> which allows str*cmp not to care about NULL pointers?

>From n869.txt (a text version of a draft of C99):

%%%
       7.21  String handling <string.h>

       7.21.1  String function conventions

       [#1] The header <string.h> declares  one  type  and  several
       functions,  and  defines  one  macro useful for manipulating
       arrays of character type and other objects treated as arrays
       of  character type.245)  The type is size_t and the macro is
       NULL (both described in 7.17).  Various methods are used for
       determining  the  lengths  of the arrays, but in all cases a
       char * or void * argument  points  to  the  initial  (lowest
       addressed)  character of the array.  [...]
%%%

NULL doesn't point to an object, so the behavior is undefined (even
for the mem* functions with a count of 0).

Also, the str* functions take args that are are pointers to the
first element of a string; a string is a '\0'-terminated array of
char; it is an object so the pointer to the first element of it
cannot be NULL.

I couldn't find where the standard explicitly defines "string".  In
7.21.1, it carefully avoids saying "string" since it wants to
permit the possibly-non-'\0'-terminated arrays of char that are
handled by the mem* functions.

Bruce


More information about the freebsd-bugs mailing list