#18346 closed bug (fixed)

initstate makes out-of-bounds writes

Reported by: bhaible Owned by: nobody
Priority: normal Milestone: R1/beta5
Component: System/POSIX Version: R1/beta4
Keywords: initstate Cc:
Blocked By: Blocking:
Platform: All

Description

The initstate function may write into the array passed as argument. POSIX specifies that the third argument is the size of this array: https://pubs.opengroup.org/onlinepubs/9699919799/functions/initstate.html "The initstate() function allows a state array, pointed to by the state argument, to be initialized for future use. The size argument, which specifies the size in bytes of the state array, shall be used by initstate() to decide what type of random-number generator to use; the larger the state array, the more random the numbers. Values for the amount of state information are 8, 32, 64, 128, and 256 bytes."

In Haiku r1beta4, the initstate functions also clobbers local variables in the calling function.

How to reproduce (on x86_64):

$ gcc -ggdb -Wall foo.c
$ ./a.out
n_big = 14883589
Abort

Attachments (1)

foo.c (252 bytes ) - added by bhaible 21 months ago.
test case

Download all attachments as: .zip

Change History (3)

by bhaible, 21 months ago

Attachment: foo.c added

test case

comment:1 by waddlesplash, 21 months ago

Probably these methods can be replaced with the ones from musl.

comment:2 by waddlesplash, 21 months ago

Milestone: UnscheduledR1/beta5
Resolution: fixed
Status: newclosed

Fixed in hrev56906.

Note: See TracTickets for help on using tickets.