wctob function overwrites caller-owned register
Corinna Vinschen
corinna-cygwin@cygwin.com
Sun May 2 11:28:00 GMT 2010
On May 2 12:43, Bruno Haible wrote:
> In Cygwin 1.7.2, the wctob() function clobbers the %ebx register, which
> belongs to the caller. The effects are random behaviour and crashes in
> the caller.
> [...]
> int
> wctob (wint_t c)
> {
> mbstate_t mbs;
> int retval = 0;
> unsigned char pwc;
>
> /* Put mbs in initial state. */
> memset (&mbs, '\0', sizeof (mbs));
>
> _REENT_CHECK_MISC(_REENT);
>
> retval = __wctomb (_REENT, &pwc, c, __locale_charset (), &mbs);
>
> if (c == EOF || retval != 1)
> return WEOF;
> else
> return (int)pwc;
> }
> [...]
> The bug is that you are passing a 1-byte buffer to a function which will
> write up to MB_CUR_MAX bytes into this buffer. Of course it will clobber the
> memory area next to the 1-byte buffer, and this is the %ebx save area!
>
> This code dates back to 2002. When Cygwin did not support multibyte encodings,
> MB_CUR_MAX was effectively 1 always. But now, for the UTF-8 encoding at least,
> MB_CUR_MAX is effectively 4.
Thanks for the report. This is actually a newlib bug. I'm going to
replace the above function with:
int
wctob (wint_t wc)
{
mbstate_t mbs;
int retval = 0;
unsigned char pmb[MB_LEN_MAX];
/* Put mbs in initial state. */
memset (&mbs, '\0', sizeof (mbs));
_REENT_CHECK_MISC(_REENT);
retval = __wctomb (_REENT, pmb, wc, __locale_charset (), &mbs);
if (wc == WEOF || retval != 1)
return WEOF;
else
return (int)pmb[0];
}
However, I'm wondering that you're using this function at all. It's
usage is heavily frowned upon since it's kind of a historical mistake.
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Project Co-Leader cygwin AT cygwin DOT com
Red Hat
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
More information about the Cygwin
mailing list