[Bug 1035321] [NEW] Wrong memory access with strlen() #2

Fri Aug 10 13:57:53 UTC 2012

Public bug reported:

I'm using Ubuntu 12.10 dev with libc6 2.15-0ubuntu16 and valgrind
1:3.7.0-0ubuntu3. After the old bug was fixed
(https://bugs.launchpad.net/ubuntu/+source/eglibc/+bug/839001) there is
now a new bug which has a little different condition to trigger. It
appears on -O3 and -O2 but not on -O1 (like the old bug).

Here is a new code example (compiled with "gcc -O3 -Wall -Wextra -o test
-pedantic test.c" and executed with "valgrind ./test"):

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int main()
{
	char *buffer1, buffer2[] = "1234";

	buffer1 = malloc(11);
	sprintf(buffer1, "123456%s", buffer2);
	fprintf(stdout, "%li\n", strlen(buffer1));
	free(buffer1);
	return 0;
}

This is the output from Valgrind:

==14601== Memcheck, a memory error detector
==14601== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==14601== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==14601== Command: ./test
==14601== 
==14601== Invalid read of size 4
==14601==    at 0x400623: main (in /home/sworddragon/data/test)
==14601==  Address 0x51ef048 is 8 bytes inside a block of size 11 alloc'd
==14601==    at 0x4C2B6CD: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==14601==    by 0x4005EA: main (in /home/sworddragon/data/test)
==14601== 
10
==14601== 
==14601== HEAP SUMMARY:
==14601==     in use at exit: 0 bytes in 0 blocks
==14601==   total heap usage: 1 allocs, 1 frees, 11 bytes allocated
==14601== 
==14601== All heap blocks were freed -- no leaks are possible
==14601== 
==14601== For counts of detected and suppressed errors, rerun with: -v
==14601== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 2 from 2)

** Affects: eglibc (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to eglibc in Ubuntu.
https://bugs.launchpad.net/bugs/1035321

Title:
  Wrong memory access with strlen() #2

Status in “eglibc” package in Ubuntu:
  New

Bug description:
  I'm using Ubuntu 12.10 dev with libc6 2.15-0ubuntu16 and valgrind
  1:3.7.0-0ubuntu3. After the old bug was fixed
  (https://bugs.launchpad.net/ubuntu/+source/eglibc/+bug/839001) there
  is now a new bug which has a little different condition to trigger. It
  appears on -O3 and -O2 but not on -O1 (like the old bug).

  Here is a new code example (compiled with "gcc -O3 -Wall -Wextra -o
  test -pedantic test.c" and executed with "valgrind ./test"):

  #include <stdio.h>
  #include <stdlib.h>
  #include <string.h>

  int main()
  {
  	char *buffer1, buffer2[] = "1234";

  	buffer1 = malloc(11);
  	sprintf(buffer1, "123456%s", buffer2);
  	fprintf(stdout, "%li\n", strlen(buffer1));
  	free(buffer1);
  	return 0;
  }

  This is the output from Valgrind:

  ==14601== Memcheck, a memory error detector
  ==14601== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
  ==14601== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
  ==14601== Command: ./test
  ==14601== 
  ==14601== Invalid read of size 4
  ==14601==    at 0x400623: main (in /home/sworddragon/data/test)
  ==14601==  Address 0x51ef048 is 8 bytes inside a block of size 11 alloc'd
  ==14601==    at 0x4C2B6CD: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
  ==14601==    by 0x4005EA: main (in /home/sworddragon/data/test)
  ==14601== 
  10
  ==14601== 
  ==14601== HEAP SUMMARY:
  ==14601==     in use at exit: 0 bytes in 0 blocks
  ==14601==   total heap usage: 1 allocs, 1 frees, 11 bytes allocated
  ==14601== 
  ==14601== All heap blocks were freed -- no leaks are possible
  ==14601== 
  ==14601== For counts of detected and suppressed errors, rerun with: -v
  ==14601== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 2 from 2)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/eglibc/+bug/1035321/+subscriptions