X-Recipient: archive-cygwin AT delorie DOT com
X-Spam-Check-By: sourceware.org
Date: Sun, 2 May 2010 13:28:37 +0200
From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: wctob function overwrites caller-owned register
Message-ID: <20100502112837.GD1845@calimero.vinschen.de>
Reply-To: cygwin AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
References: <201005021243 DOT 16515 DOT bruno AT clisp DOT org>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <201005021243.16515.bruno@clisp.org>
User-Agent: Mutt/1.5.20 (2009-06-14)
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Precedence: bulk
List-Id: <cygwin.cygwin.com>
List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

On May  2 12:43, Bruno Haible wrote:
> In Cygwin 1.7.2, the wctob() function clobbers the %ebx register, which
> belongs to the caller. The effects are random behaviour and crashes in
> the caller.
> [...]
> int
> wctob (wint_t c)
> {
>   mbstate_t mbs;
>   int retval = 0;
>   unsigned char pwc;
> 
>   /* Put mbs in initial state. */
>   memset (&mbs, '\0', sizeof (mbs));
> 
>   _REENT_CHECK_MISC(_REENT);
> 
>   retval = __wctomb (_REENT, &pwc, c, __locale_charset (), &mbs);
> 
>   if (c == EOF || retval != 1)
>     return WEOF;
>   else
>     return (int)pwc;
> }
> [...]
> The bug is that you are passing a 1-byte buffer to a function which will
> write up to MB_CUR_MAX bytes into this buffer. Of course it will clobber the
> memory area next to the 1-byte buffer, and this is the %ebx save area!
> 
> This code dates back to 2002. When Cygwin did not support multibyte encodings,
> MB_CUR_MAX was effectively 1 always. But now, for the UTF-8 encoding at least,
> MB_CUR_MAX is effectively 4.

Thanks for the report.  This is actually a newlib bug.  I'm going to
replace the above function with:

int
wctob (wint_t wc)
{
  mbstate_t mbs;
  int retval = 0;
  unsigned char pmb[MB_LEN_MAX];

  /* Put mbs in initial state. */
  memset (&mbs, '\0', sizeof (mbs));

  _REENT_CHECK_MISC(_REENT);

  retval = __wctomb (_REENT, pmb, wc, __locale_charset (), &mbs);

  if (wc == WEOF || retval != 1)
    return WEOF;
  else
    return (int)pmb[0];
}

However, I'm wondering that you're using this function at all.  It's
usage is heavily frowned upon since it's kind of a historical mistake.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple